introduction to number theory lecture notes - mathboocher/writings/numbertheorynotes.pdf ·...
TRANSCRIPT
Introduction to Number TheoryLecture Notes
Adam Boocher (2014-5), edited by Andrew Ranicki (2015-6)
December 4, 2015
1 Introduction (21.9.2015)
These notes will cover all material presented during class. These lectures have been compiledfrom a variety of sources, mainly from the recommended books:
• Elementary Number Theory, by Kenneth H. Rosen, 6th Edition, 2011, Pearson. Li-brary: QA241Ros
• A friendly introduction to number theory by J. H. Silverman, Prentice Hall, 2013.Li-brary: QA241Sil
These books are both excellent sources of examples, additional practice problems and Ifind them to be eminently readable. They are on reserve in the Murray Library.
1.1 A Preview: Pythagorean Triples
(Pink type = either internal or external webreference).The classical theorem of Pythagoras1 states that if a, b, c are the side lengths of a righttriangle, (c being the hypotenuse) then
a2 + b2 = c2.
In this lecture we shall answer the following
Question 1.1. What are the natural number solutions (a, b, c) to the equation a2+b2 = c2?Such a solution is called a Pythagorean triple.
Example 1.2. Some easy-to-remember Pythagorean triples are e.g. (3, 4, 5), (5, 12, 13), (8, 15, 17).
A first question we might ask if there are infinitely many such triples. However, we seethat as soon as we have a single solution, we have found infinitely many:
1Extract from the Danny Kaye film Merry Andrew (1958)
1
Remark 1.3. If (a, b, c) is a Pythagorean triple, and d is any positive integer then so is(da, db, dc).
Proof. We just check that
(da)2 + (db)2 = d2(a2 + b2) = d2(c2) = (dc)2.
Given this fact, we define a primitive Pythagorean triple (PPT) to be a Pythagoreantriple such that a, b, c have no common factor. This means that there is no number d thatdivides all of a, b, c. We can now rephrase Question 1.1 as: What is the set of PPTs?
As a first step, let’s consider the possible parities of the numbers (the parity of a numberrefers to whether the number is even or odd). It’s straightforward to check that the squareof an even number is even, and the square of an odd number is odd. With that in mind, theonly possible solutions to a2 + b2 = c2 must be of the form
odd + odd = evenodd + even = odd
even + even = even
We can rule out the last possibility since that would imply that a, b, c are divisible by 2. Wecan also rule out the first possibility: Suppose that
a = 2x+ 1, b = 2y + 1, c = 2z.
Then after simplifying we see that
4x2 + 4x+ 4y2 + 4y + 2 = 4z2.
But this is impossible, since the right hand side is divisible by 4 but the left hand side is not!Hence we can reformulate Question 1.1 as
Question 1.4. Find all natural number solutions to a2 + b2 = c2 with a odd, b even, anda, b, c have no common factors.
Remark 1.5. Notice that requiring that a, b, c have no common factor is the same as requir-ing that no two of them share a common factor. Indeed, if p was a common prime factor,then if p divides, say c and b, then it divides c2 − b2 and hence it divides a2. But now byprime factorisation, this means it divides a.
Let’s get to work! We can note that
a2 = c2 − b2 = (c− b)(c+ b)
In other words, the product of (c − b) and (c + b) is a perfect square. We shall now showthat c− b and c+ b are relatively prime. Indeed, suppose that they both shared a commonprime factor d, then certainly d should divide their sum and difference. Thus d divides
(c− b) + (c+ b) = 2c, and (c+ b)− (c− b) = 2b.
2
But now b and c have no common factor, so it must be that d divides 2. But d cannot be 2since c+b is odd! But now as c−b, c+b have no factors in common (i.e. they are relativelyprime) we see that the only way that their product can be a square is if both factors aresquares: the proof relies on unique factorization of integers 2. Here is the proof: for distinctodd primes p1, p2, . . . , pk, q1, q2, . . . , q` and positive integers e1, e2, . . . , ek, f1, f2, . . . , f` > 1
c− b = pe11 pe22 . . . pekk , c+ b = qf11 q
f22 . . . qf``
we have thata2 = (c− b)(c+ b) = pe11 p
e22 . . . pekk q
f11 q
f22 . . . qf``
so that each of e1, e2, . . . , ek, f1, f2, . . . , f` is even, and c− b, c+ b are both squares. Thus
c+ b = s2 , c− b = t2,
where s > t > 1 are odd integers with no common factors. Then
a =√
(c− b)(c+ b) =√s2t2 = st .
We can now solve for b and c to obtain our first
Theorem 1.6. Every PPT (a, b, c) with a odd satisfies
a = st , b =s2 − t2
2, c =
s2 + t2
2,
where s > t > 1 are chosen to be odd integers with no common factors.
You should notice that we have only completed “half” of this proof. To complete it, weshould show that for every such choice of s, t we actually obtain a PPT, which is immediatefrom the algebraic identity
xy = (x+ y
2)2 − (
x− y2
)2
with x = s2, y = t2.This theorem is quite striking at first glance, but it still leaves a bit to be desired as to
“why” PPTs should have such a special form. Also, we seemed to have gotten lucky with oureven/odd analysis in the proof. Indeed, for many problems in number theory, things won’twork out this nicely! However, there is a nice method which extends a bit more generally,which we present here.
1.2 A Geometric Derivation
Notice that if (a, b, c) is a PPT then (a/c, b/c) is a point with rational coordinates on theunit circle x2 + y2 = 1. As students in the North, we naturally notice that N = (0, 1) isa point on the circle. Never matter that one of the coordinates is zero, we can worry aboutthat later. The key insight is to now notice that if (x, y) is another point on the circle with
3
N = (0, 1)
(x, y)
Figure 1: Geometric Method of Finding Pythagorean Triples
rational coordinates then the slope of the line between these two points will have rationalslope. The converse is also true, which we prove now:
Suppose that P = (x, y) is a point on the unit circle such that the line between N andP has a rational slope m. Then m = (y − 1)/x or equivalently y = mx+ 1. Since P lieson the unit circle, we can conclude that
x2 + (mx+ 1)2 = 1
(1 +m2)x2 + 2mx+ 1 = 1
x((1 +m2)x+ 2m) = 0
This equation describes the set of points that lie on the intersection of the circle and theline. The solution x = 0 is the point N , and the solution x = (−2m)/(1 +m2) describesthe point P . Using y = mx+ 1 we have proven
Theorem 1.7. Every point on the circle x2 + y2 = 1 with rational coordinates is of theform
(x, y) =
(−2m
1 +m2,1−m2
1 +m2
)where m is a rational number. (Except for the point (0,−1) which is the limiting value asm→∞.)
If we write m = u/v and clear denominators, then we see that this formula becomes:
(x, y) =
(−2uv
u2 + v2,v2 − u2
v2 + u2
)which if we plug into the equation for the unit circle and simplify we get
x2 + y2 = 1
2to be covered in the next lecture
4
(−2uv)2 + (v2 − u2)2 = (v2 + u2)2
(uv)2 +
(v2 − u2
2
)2
=
(v2 + u2
2
)2
.
Comparing with 1.6 we see that we’ve found exactly the same points! You may have seenthese formulae in trigonometry: for any angle θ
(sin 2θ, cos 2θ) = (2 tan θ
1 + tan2 θ,1− tan2 θ
1 + tan2 θ)
with m = − tan θ = tan(π − θ) here.There are lots of other questions we might want to answer. For example, if c is given,
do there exist a and b so that a2 + b2 = c? If so, how many such a and b are there? Forexample
332 + 562 = 652 and 162 + 632 = 652.
It turns out that the a highbrow way to view this question (and others) involves passing tothe so-called ring of Gaussian integers - which involves imaginary numbers. We shall returnto this topic at the end of the course once we have a larger toolkit.
Main Points from Lecture 1:
• Know how to find infinitely many PPTs
• Be able to use the geometric method of using lines with rational slope to find rationalpoints. Memory of this method is important. Memory of the actual formulas is not.
• Have familiarity with basic divisibility arguments.
2 The Primes (24.9.2015)
Notation: Z = ring of integers {0,±1,±2, . . . };N = set of positive integers {1, 2, 3, . . . };Q = field of rational numbers {n/m : m ∈ N, n ∈ Z};R = field of real numbers.
2.1 Prime Numbers
A positive integer p > 1 is called prime if p 6= mn for all m,n ∈ N with m > 1 and n > 1.Otherwise (i.e., if c > 1 can be written as c = mn for some m,n ∈ N with m > 1 and n > 1)then c is called composite.
Theorem 2.1 ( Fundamental Theorem of Arithmetic). Every n ∈ N has a unique represen-tation as a product of primes:
n = pe11 · · · pekk , where k > 0 and each ej ∈ N.
5
[Convention: empty products (here, for n = 1, are = 1, and empty sums are = 0.]This theorem was proved in Year 1 (in Proofs and Problem-solving). See Martin Liebeck:
A concise introduction to Pure Mathematics, Chapman and Hall 2000. A visualisation of thistheorem can be seen at http://www.datapointed.net/visualizations/math/factorization/animated-diagrams/
Remark 2.2. We’ve known some version or other of the FTA for most of our lives, andas such it probably seems like a rather obvious, and daresay, even boring fact. However, it’sreally quite a striking feature of the natural numbers. Later in the course we will encounterother number systems (i.e. rings) in which unique factorization into primes does not hold.For an excursion in this direction, take a look at Silverman’s discussion on the E−world, inwhich he talks about the set of even numbers.
Proposition 2.3. Suppose p, n,m ∈ N with p prime and p dividing nm (i.e., pr = nm forsome r ∈ N). Then either p | n (“p divides n”) or p | m (or possibly both).
Proof. By Theorem 2.1 every integer r ∈ N has a unique expression as product
r = per0
with e > 0 and r0 a product of primes 6= p. Think of the exponent e as the analogue of thelogarithm of r which only takes note of the powers of p in r, noting that
1. p | r if and only if e > 1, just like x > 1 if and only if log x > 0,
2. for the product r′′ = rr′ of r, r′ ∈ N with r = per0, r′ = pe
′r′0
r′′ = pe′′r′′0 = pe+e
′(r0r
′0)
so that e′′ = e+ e′ just like log xx′ = log x+ log x′.
Do this kind of factorization for r, n,m
r = per0 , n = pfn0 , m = pgm0 .
From pr = nm we havepe+1r0 = pf+gn0m0 ,
ande+ 1 = f + g ∈ N
At least one of f, g must be > 1, so that either p | n or p | m.
This result is false for composite numbers, as e.g., 6 = 2 · 3, and so 6 | 2 · 3, but 6 - 2 and6 - 3. More generally, if c = nm with n > 1, m > 1 (so c composite) then c | nm but c - nand c - m. In general, if you see a non-example like this, remember it! This is the best wayto remember the hypotheses of theorems.
6
Example 2.4. If p is a prime number and p divides 2n then either p divides 2 or p dividesn. We used this fact in the first lecture when we were discussing Pythagorean triples.
Theorem 2.5. If n is composite then it must be divisible by some prime 6√n.
Proof. If all prime factors of n are >√n then clearly all factors of n are >
√n. Thus since
n is composite, we have some factorisation n = ab >√n√n = n, a contradiction.
This gives us a reasonable algorithm to enumerate, the first few primes. Suppose wewanted to enumerate all primes less than 100. We could write the first 100 numbers down,and then cross off all multiples of 2, 3, 5, and 7. By the previous theorem, any num-bers remaining must be prime, since
√100 = 10. This is called the Sieve of Eratosthenes.
For an animation and more information click: http://en.wikipedia.org/wiki/Sieve_of_Eratosthenes
2.2 Distribution of the primes
A whole course could be devoted to the distribution of the prime numbers. Basically the mainmotivating question asks: How are the primes interspersed among the natural numbers? Asa first step, we know from Euclid that there are infinitely many primes:
Theorem 2.6. (Euclid) There are infinitely many prime numbers.
Proof. Suppose that there were only finitely many primes p1, . . . , pk. Then consider theinteger N = p1 · · · pk + 1. This number is not divisible by any of the pi (it has remainder 1upon division). However, by Theorem 2.1 it must be divisible by some prime p. Since this pis none of our pi we have a contradiction. We must not have written down all the primes.
The same proof shows that there are infinitely many odd primes. In other words, thereare infinitely many prime numbers of the form 2k + 1. On the first homework assignmentyou will prove that there are infinitely many prime numbers of the form 4k + 3. In fact,these are the special cases (a, b) = (2, 1) and (4, 3) of a much stronger statement:
Theorem 2.7 (Dirichlet’s Theorem). If a and b are positive integers not divisible by thesame prime then there are infinitely many primes of the form ak + b.
The proof of this theorem is difficult, and is beyond the scope of this course. It is just thetip of the iceberg concerning questions about the distribution of the primes. My favouritetheorem of this type, for which we do have an elementary proof is the following. It providesyet another proof that there are infinitely many primes.
Theorem 2.8. The sum of the reciprocals of the primes diverges∑p prime
1
p→∞.
7
We will need the following tools for the proof:
0. The Fundamental Theorem of Arithmetic.
1. 1/(1− x) = 1 + x+ x2 + · · ·+ xn + · · · .
2. log(1− x) = −x− x2/2− x3/3− · · · − xn/n− · · · .
3. The harmonic series 1 + 1/2 + 1/3 + 1/4 + · · · diverges.
(Tools 1-3 were introduced in Calculus, (recall that the series∑
1/ns converges if andonly if s > 1.)
Proof. Let n be a natural number. We define the following product:
λ(n) =∏p6n
(1
1− 1p
)
Our first goal is to prove that λ(n) diverges. To see this, note that we can rewrite each ofthe factors as an infinite sum using Tool 1.
λ(n) =
(1 +
1
2+
1
22+ · · ·
)(1 +
1
3+
1
32+ · · ·
)(1 +
1
5+
1
52+ · · ·
)· · ·
When we expand this product, we will obtain all fractions of the form
1
2a13a2 · · · pakk
where all prime factors 6 n appear. By the fundamental theorem of arithmetic, we’ll get allthe numbers 1, 1
2, 13, . . . , 1
n(and many many more). Therefore
λ(n) > 1 + 1/2 + 1/3 + . . .+ 1/n.
Hence as n → ∞, λ(n) → ∞ by Tool 3. In particular this means that log λ(n) → ∞ asn→∞.
Our second (and final goal) is to relate λ(n) with the series∑
1/p. To do this, we takelogs. By basic properties of logs of products and reciprocals, we obtain:3
log(λ(n)) =∑p6n
− log(1− 1/p).
3If you’re reading these notes, now is a good time to grab a pen and paper and track the followingderivations carefully. The concepts aren’t difficult, but unfortunately the notation can make this seem a bitintimidating.
8
Using Tool 2, we obtain:
− log(1− 1/p) =1
p+
1
2p2+
1
3p3+
1
4p4+ · · ·
<1
p+
1
p2+
1
p3+
1
p4+ · · ·
=1
p(1 +
1
p+
1
p2+
1
p3+
1
p4+ · · · )
=1
p· 1
1− 1/p=
1
p· p
p− 1
62
p.
But then this means that
log λ(n) <∑p6n
2
p.
Since the left hand side diverges, we have that∑
p6n2p
diverges. Division by two yields theresult.
This Theorem is somewhat surprising, since for instance the sum 1+1/4+1/9+1/16+· · ·converges, yet
∑1/p diverges. Hence it might be appropriate to say that “There are more
prime numbers than square numbers.” However this sentence is pure nonsense without aproper definition. Along a different track, one way of measuring how many prime numbersthere are is to consider the fraction of natural numbers that the primes comprise.
Consider the functionπ(n) = #{primes p 6 n}.
E.g. π(5) = 3, π(100) = 25, and π(5000) = 669. In 1850 Chebyshev proved that there existreal numbers C1, C2 with 0 < C1 < 1 < C2 such that
C1(n/ log n) < π(n) < C2(n/ log n)
In particular, in the limit we have
limπ(n)
n= 0 .
In other words, the primes have density 0 in the natural numbers. For an awesome elementaryproof of this fact, check out http://www.math.udel.edu/~idmercer/primes-density.pdf.
It is interesting to ask how quickly this ratio π(n)/n approaches zero.
Theorem 2.9. When n is large, the number of primes less than x is approximately equal tox/ lnx. In other words
limx→∞
π(x)
x/ ln(x)= 1.
9
This theorem was conjectured by many in the late 18th century, and was first noticedby observing tables of prime numbers made by hand. It was first proved independentlyby Hadamard and de la Valee-Poussin in 1896. Their proofs use complex analysis. Anelementary proof was discovered by Paul Erdos and Atle Selberg in 1949. Proofs from theBook is a great book, containing many beautiful and elegant proofs of theorems, which isavailable for download from within the EASE network. For an excellent story, check out DonZagier’s The First 50 Million Prime Numbers, or watch the video of Barry Mazur talkingabout the Riemann Hypothesis http://fora.tv/2014/04/25/Riemann_Hypothesis_The_
Million_Dollar_Challenge. We don’t have time in this course to go much more into thetheory of the distribution of the primes, but there are many accessible introductions to thisarea.
Finally, it wouldn’t be a lecture about the distribution of the primes if we didn’t includeat least two open conjectures.
The Twin Prime Conjecture is that there are infinitely many primes p such that p+ 2 isalso prime. In 2013 Yitang Zhang proved that there exists an integer N < 7, 000, 000 suchthat there is an infinite number of primes p such that p+N is also prime - a rather romanticstory! The current record for the lower bound is that there exists an integer N 6 246 suchthat there is an infinite number of primes p such that p + N is also prime: there is up todate information on the websitehttp://michaelnielsen.org/polymath1/index.php?title=Bounded gaps between primes.
Conjecture 2.10. (Twin Prime Conjecture) There are infinitely many prime numbers psuch that p+ 2 is also prime. These are called twin primes.
Conjecture 2.11. (Goldbach Conjecture) Every even integer larger than 2 can be writtenas a sum of two primes.
There is even a novel about the Goldbach Conjecture. Extra credit (and fame andfortune) goes to anyone who can solve it!
Main Points from Lecture 2:
• Statement of the Fundamental Theorem of Arithmetic and fluency in using uniquenessto prove statements such as Prop 2.3.
• Proof of the infinitude of primes and its variants.
• The statement that∑
1/p diverges.
3 The greatest common divisor, the lowest common
multiple and the Euclidean Algorithm (28.9.2015)
The greatest common divisor (gcd) of n,m ∈ N is, as the name suggests, the largestinteger that divides both of them. Such an integer always exists, as 1 | n and 1 | m (so
10
common divisors exist) and clearly no common divisor can exceed min(n,m) (so we aretaking the maximum over a nonempty finite set. To recap: 1 6 gcd(n,m) 6 min(n,m).
In some texts the gcd is called the hcf (“highest common factor”). We will often denotethe gcd of a and b simply by (a, b). In particular, if (a, b) = 1 then we say that a and b arerelatively prime.
The least common multiple (lcm) of n,m ∈ N is the smallest integer that both n andm divide. Again, such an integer exists, as n and m both divide nm. So clearly
max(n,m) 6 lcm(n,m) 6 nm.
Example 3.1. One way of computing the gcd is to factorize. For example 24 = 23 · 3 and84 = 22 · 3 · 7. Hence the greatest common factor is 22 · 3 = 12.
As we’ll see shortly, there is a method for computing the gcd that doesn’t involve factoring.This is a good thing as factoring is quite slow.
Proposition 3.2. Given m,∈ N let p1, . . . , pk be the primes dividing m or n (i.e., mn), andwrite
m =k∏i=1
peii , n =k∏i=1
pfii ,
where ei > 0, fi > 0. Then
(i) gcd(m,n) =∏k
i=1 pmin(ei,fi)i ;
(ii) lcm(m,n) =∏k
i=1 pmax(ei,fi)i ;
(iii) gcd(m,n) · lcm(m,n) = mn;
(iv)
gcd
(n
gcd(n,m),lcm(n,m)
n
)= 1.
Proof. (i) Suppose that d | m. Then dd′ = m say. so any prime dividing d will dividedd′ = m. Hence d is of the form
d =k∏i=1
pe′ii , where e′i > 0.
Since d | m, clearly e′i 6 ei.
If also d | n, then e′i 6 fi. so e′i 6 min(ei, fi). But∏k
i=1 pmin(ei,fi)i divides both m and
n, so it is their gcd.
(ii) Similarly if m | ` and ` =∏k
i=1 pf ′ii · `′ say, where `′ is a product of primes different
from p1, . . . , pk, then also m |∏k
i=1 pf ′ii , so we can take `′ = 1 (i.e., ignore it!). Hence
k∏i=1
peii |k∏i=1
pf ′ii ,
11
so that ei 6 f ′i . Similarly n | ` gives fi 6 f ′i . Hence f ′i > max(ei, fi). But clearly m
and n both divide∏k
i=1 pmax(ei,fi)i , so this must equal lcm(m,n).
(iii) If e and f are any two real numbers then
min(e, f) + max(e, f) = e+ f,
since one of min(e, f) and max(e, f) is e and the other is f . Hence
gcd(m,n) · lcm(m,n) =k∏i=1
pmin(ei,fi)+max(ei,fi)i =
k∏i=1
pei+fii = mn.
(iv) We have using (iii) that
gcd
(n
gcd(n,m),lcm(n,m)
n
)= gcd
(n
gcd(n,m),
m
gcd(n,m)
)=
gcd(n,m)
gcd(n,m)= 1.
Proposition 3.3. Suppose that (a, b) = d. Then (a/d, b/d) = 1.
Proof. Suppose that c = (a/d, b/d) is the gcd. Then a/d = c · k and b/d = c · l. Clearingfractions we see that a = ckd b = cld. But then cd is a common factor of a and b. Since dwas the gcd(a, b) we must have that cd = d and hence c = 1.
Proposition 3.4. If a, b, c are integers then (a+ cb, b) = (a, b).
Proof. Let d = (a+ cb, b) and e = (a, b). Since e divides a and b it surely divides a+ cb andb, so e | d. Conversely, since d | b, it follows that if d | a+ cb then d | (a+ cb)− cb and henced | a. Thus d divides a and b whence d | e. Since d and e divide one another, they must beequal.
Question 3.5. If a and b are integers, then what is the set of values that ax+by can take onas x, y range through all integers? We call such numbers linear combinations of a and b.
This question is related to the postage stamp question which asks if you have postagestamps of values a and b, what are the possible values of total postage that you can make.Note in this case, we are only allowed to nonnegative combinations of a and b, whereas inthe Question we allow all integers.
Example 3.6. What integers are of the form 8x+ 12y?First notice that any integer of this form is definitely a multiple of 4, as it is the gcd of
8 and 12. Further, notice that if we could somehow write 4 = 8x0 + 12y0 then we would beable to write any multiple of 4 as
4k = 8(kx0) + 12(ky0).
In this case, it’s easy to see that we can indeed write 4 = 8(−1) + 12(1). Thus our answer isthat
{8x+ 12y, |x, y ∈ Z} = {4k | k ∈ Z} = 4Z.
12
In general the following is true:
Theorem 3.7. The set of linear combinations of two numbers a and b is equal to the set ofmultiples of (a, b)
{ax+ by, |x, y ∈ Z} = {(a, b)k | k ∈ Z} = (a, b)Z.
Proof. As in the example, it is clear that any combination must be a multiple of (a, b) sincethis divides bother ax and by. What remains to be shown is that (a, b) can indeed be writtenas a linear combination of a and b. To see this, we argue by contradiction. Suppose that d isthe smallest positive integer that is a linear combination of a and b.4 Say that d = am+ bn.Now by the division algorithm, we have that
a = dq + r, 0 6 r < d.
Now r = a − dq = a − (am + bn)q = (1 −m)a + nqb is yet another linear combination ofa and b. But by assumption, d was the smallest positive such number. Hence r = 0, anda = qd. Thus d | a. Similarly d | b. Hence d is a common divisor of a and b and now thefirst sentence of this proof shows that d = (a, b).
Corollary 3.8. If (a, b) = 1 then there exists m,n ∈ Z with am+ bn = 1.
Theorem 3.7 says something quite useful: That the smallest positive integer which canbe written as a linear combination of a and b is (a, b). In the next section, we exploit this tocreate an algorithm to compute (a, b).
3.1 Finding the gcd without factoring - The Euclidean Algorithm
Given a, b ∈ N with a > b (say). Our goal is to compute g = (a, b).The Division Algorithm is key ingredient: we can first divide b into a to get
a = bq + r (q ∈ N, 0 6 r < b) ,
with q the quotient and r the remainder. Notice that
(a, b) = (b, a− bq) = (b, r)
where the first equality comes from (a, b) = (b, a) and Proposition 3.4.We can continue with a, b replaced by a1 = b, b1 = r. Apply the division algorithm again:
b = q1r+ r1 say. Then also g = gcd(b, r) = gcd(a1, b1) with a1 > b1. Continue in this way toobtain a sequence of successively smaller remainders
r0 = r > r1 > · · · > rk > rk+1 = 0 .
The last non-zero remainder is g = gcd(rk, 0) = rk. Note that k 6 b, so there are at most biterations.
More formally, the Euclidean Algorithm for finding the greatest common divisor g = (a, b)of a > b > 1 generates a sequence of ordered pairs an > bn > 1 for n = 0, 1, . . . , k andrn > rn+1 by the computer ‘pseudo-code’ :
4Why does such a number exist?
13
1. START a0 := a, b0 := b
2. APPLY DIVISION an := qnbn + rn
3. an+1 := bn, bn+1 := rn
4. REPEAT DIVISION
5. STOP WHEN rk+1 = 0
6. PRINTOUT “(a, b) = rk”
Example 3.9. Use the Euclidean Algorithm to compute (87, 51):
a0 = b0q0 + r0 87 = 51 · 1 + 36a1 = b1q1 + r1 51 = 36 · 1 + 15a2 = b2q2 + r2 36 = 15 · 2 + 6a3 = b3q3 + r3 15 = 6 · 2 + 3a4 = b4q4 + r4 6 = 3 · 2 + 0 .
Thus (87, 51) = 3, the last nonzero remainder. If we want to write 3 as a linear combinationof 51 and 87 we can just step backwards through this:
3 = 15− 6(2)
= 15− (36− 15 · 2) · 2 = 15(5)− 36(2)
= (51− 36)(5)− 36(2) = 51(5)− 36(7)
= 51(5)− (87− 51)(7) = 51(12)− 87(7).
Main Points from Lecture 3:
• How to compute the gcd of two numbers from a factorization or from the EuclideanAlgorithm
• The gcd of a, b is an integer combination of a and b.
• All integer combinations of a, b are multiples of the gcd.
4 Linear Diophantine Equations (1.10.2015)
In this lecture we will learn how to solve equations of the form ax + by = c where a, b, care integers, and we seek integer solutions (x, y) ∈ Z2 5. The complete algorithmic methodfor finding all the integer solutions of ax + by = c will require the ‘Extended EuclideanAlgorithm’ for finding one solution (x, y) of ax + by = g.c.d.(a, b), in a subsequent lecture.But today we shall concentrate on two questions:
5Do not confuse the ordered pair (x, y) ∈ Z2 with the integer (x, y) = g.c.d.(x, y) ∈ Z
14
1. When does ax+ by = c have integer solutions (x, y)?
2. If there exists a solution at all, how many solutions are there altogether?
In subsequent lectures we shall also study the same questions modn, for a given integern > 2.
Note that describing the set of real solutions (x, y) ∈ R2 of ax + by = c is easy: if(a, b) 6= (0, 0) there is a line of solutions, given by y = (c−ax)/b if b 6= 0, and by x = (c−by)/aif a 6= 0. If (a, b) = (0, 0) there is a solution if and only if c = 0, in which case every (x, y) ∈ R2
is a solution.However it’s not so clear what to do for integer solutions (x, y) ∈ Z2 of ax + by = c
with (a, b, c) ∈ Z3. We’ll see that the answer comes quickly with the help of the EuclideanAlgorithm.
Let’s work out a few examples to see the salient points:
12x+ 18y = 10
As in our work with linear combinations, we see that the left hand side is always divisible by(12, 18) = 6. But the right hand side is not. Therefore this equation has no solution. Hencewe have
If ax+ by = c has an integer solution then c must be an integer multiple of g.c.d.(a, b).
This is a direct consequence of Theorem 3.7 from the last lecture: the set of linearcombinations of two numbers a and b is equal to the set of multiples of g.c.d.(a, b)
{ax+ by |x, y ∈ Z} = {g.c.d(a, b)k | k ∈ Z} ⊆ Z .
With that in mind let’s try an example that has a chance of having solutions:
12x+ 18y = 42.
We can divide through by (12, 18) = 6 to obtain 2x+3y = 7, and now we can spot a solutionin our heads: 2(2) + 3(1) = 7. It is instructive to find another solution in a more systematicway: Notice that the Euclidean Algorithm produces a solution 2(−1) + 3(1) = 1. We canmultiply everything by 7 to obtain 2(−7) + 3(7) = 7. What is the relationship between ourtwo solutions (x, y) = (2, 1) and (x, y) = (−7, 7)? The answer is the following Theorem
Theorem 4.1. The equation ax+ by = c has an integer solution if and only if c is divisibleby d = g.c.d.(a, b). If this is the case, then there are infinitely many solutions. If (x0, y0) isone particular solution, then all solutions are of the form
x = x0 − (b/d)n, y = y0 + (a/d)n
where n is an integer.
15
Proof. By the discussion preceding this theorem, it is clear that a solution exists only if d | c.In this case a solution always exists as the Euclidean Algorithm will always yield a solutionto d = as + bt. Multiplying both sides by c/d will yield a solution. To see that there areinfinitely many solutions, let’s check that the ordered pair
(x0 − (b/d)n, y0 + (a/d)n)
is indeed a solution:
a(x0 − (b/d)n) + b(y0 + (a/d)n) = (ax0 + by0)− (ab/d)n+ (ba/d)n = (c) + 0 = c.
Now suppose that (x1, y1) is an arbitrary solution. This means that ax1 + by1 = c. Notice
a(x0 − x1) + b(y0 − y1) = c− c = 0.
This means that a(x0 − x1) = −b(y0 − y1). Let us now divide through by d to obtain
a
d(x0 − x1) = − b
d(y0 − y1).
Now since a/d and b/d are relatively prime, we see that a/d | (y0−y1) hence y0−y1 = (a/d)n.Substituting and canceling, we obtain:
a
d(x0 − x1) = − b
d
a
dn
(x0 − x1) = − bdn.
In summary we have shown that
x1 = x0 +b
dn and y1 = y0 −
a
dn .
The signs are different from the ones in the statement of the theorem, but since n is allowedto be positive or negative, this is the same solution set as we required.
The format for the solutions of an inhomogeneous linear Diophantine equation
General solution = homogeneous solution + particular solution
may be familiar to you from the solutions of an inhomogeneous linear differential equation.
Many times we will be interested in knowing the natural number solutions to an equation.In this case it is possible that there may be no solutions, or only finitely many.6
6Can you think of an equation with no natural number solutions?
16
Example 4.2. A farmer wishes to buy 100 animals and spend exactly $100. Cows are $10,sheep are $3 and pigs are $0.50. Is this possible?
Solution: The system of equations is
c+ s+ p = 100, 10c+ 3s+ 0.50p = 100.
Substituting p = 100− c− s we obtain
10c+ 3s+ 0.50(100− c− s) = 100
20c+ 6s+ 100− c− s = 200
19c+ 5s = 100.
As (19, 5) = 1 this equation will have infinitely many integer solutions. We can find one bythe Euclidean Algorithm.
Scratchwork:19 = 5(3) + 4, 5 = 4 + 1
1 = 5− 4 = 5− (19− 5(3)) = 19(−1) + 5(4)
100 = 19(−100) + 5(400).
Hence c = −100, s = 400 is one integer solution. By the Theorem, all solutions are of theform
c = −100− 5n, s = 400 + 19n.
Since we are looking for positive integer solutions, we see that −100−5n > 0 and 400+19n >0. This yields −20 > n and −21 6 n, hence n = −21 gives the unique solution in positiveintegers. This yields
c = 5, s = 1, p = 94.
4.1 Multivariate linear equations over ZGiven integers a1, a2, . . . , an, b, how do we find all (x1, . . . , xn) :
a1x1 + · · ·+ anxn = b? (1)
Important easy cases
1. g = gcd(a1, . . . , an) - b. Then the LHS of (1) is divisible by g, but the RHS is not, so(1) has no solution in integers.
2. a1 = 1. Then x2, x3, . . . , xn can be chosen to be any integers, with (1) then determiningx1. Clearly this gives all solutions of (1) in this case.
17
Example for 1. The equation 6x1 + 8x2 = 11 has no integer solution, as the LHS iseven while the RHS is odd.
Example for 2. The general integer solution of x1 + 7x2 + 9x3 = 3 is (x1, x2, x3) =(3− 7x2 − 9x3, x2, x3) for x2, x3 arbitrary in Z.
General strategy for solving (1): Make linear changes of variables to successivelyreduce the minimum modulus of coefficients of (1). Keep doing this until either
• get case where gcd(a1, a2, . . . , an) - b, so no solution, as in 1. above;
• get a coefficient = 1, and so can solve as in 2. above.
This is best illustrated by an example.
Example. Solve 3x+ 4y + 5z + 6w = 7 for integers x, y, z, w.
Solution. Write equation as 3(x+ y) + y + 5z + 6w = 7, and put u = x+ y. So3u+ y + 5z + 6w = 7, and x = u− y.Now choose u, z, w arbitrarily in Z. Then y = 7−3u−5z−6w and x = u−y = −7+4u+
5z+6w. Thus the general solution is (x, y, z, w) = (−7+4u+5z+6w, 7−3u−5z−6w, z, w).
Solution algorithm for solving (1) in integers:
• Pick the ai of smallest modulus. If |ai| = 1, can solve (1) as in 2. above.
• Otherwise, when smallest modulus of ai is > 2: For convenience assume a1 > 0 and itis the ai of smallest modulus. If all the ai divisible by a1 and a1 - b, then no solutionby 1. above. If all the ai divisible by a1 and a1 | b, then simply divide the equation bya1. Now the new a1 is = 1, so can solve it by 2. above.
Otherwise,, choose an a1 not divisible by a1 – assume it is a2. Write a2 = qa1 + a′2,where 0 < a′2 < a1, and put u = x1 + qx2. Then (1) becomes
a1x1 + (qa1 + a′2)x2 + a3x3 · · ·+ anxn = b,
ora1u1 + a′2x2 + a3x3 · · ·+ anxn = b. (2)
This new equation (2) has smallest coefficient a′2 < a1. So we can repeat the process.Keep repeating until we get either 1. (so no solution) or 2. (so can write down solution).In the latter case we use the linear equations generated (e.g., u1 = x1 + qx2) to getexpressions for the original variables.
18
4.2 Review of Congruences
We now briefly review properties of congruences. A solid mastery of the basics will benecessary for the course. At the end of this section will be many problems designed to giveyou practice working with congruences. Please let me know if you have any questions eitherbefore or after class (or in an email). The material in this section is found in Rosen 4.1(Introduction to Congruences)
The congruence a ≡ b mod n means that the difference (a− b) is divisible by n. In otherwords, a is equal to a multiple of n plus b. In other words, a = nq + b.
Example 4.3.15 ≡ 1 mod 7
−3 ≡ 14 mod 17
10 ≡ 0 mod 5
I find it helpful to thing of negative numbers as being “less than a multiple of n”. Forexample 30 ≡ −4 mod 17 because “30 is 4 less than a multiple of 17.”
There are multiple ways to represent numbers using congruences, and we call each set ofequivalences a congruence class. For example
· · · − 4 ≡ 1 ≡ 6 ≡ 11 ≡ 16 · · · mod 5
Is the congruence class of the 1 mod 5.
Definition 4.4. A complete system of residues mod n is a set of integers such that everyinteger is congruent mod n to exactly one integer in the set. A least positive reside for aninteger a is the smallest positive integer b such that a ≡ b mod n.
Example 4.5. Modulo 5, a complete system of residues if {0, 1, 2, 3, 4}. Another is {−2,−1, 0, 1, 2}.Yet another is {0, 1, 2, 3, 19}.
Arithmetic with congruences behaves extremely well, as we summarize here:
Theorem 4.6. If a, b, c, d and n are integers with n > 0 and a ≡ b mod n and c ≡ d mod nthen
a+ c ≡ b+ d mod n.
a− c ≡ b− d mod n.
ac ≡ bd mod n.
The proofs of these exercises follow from the definition of modular arithmetic. The thirdproperty is a special case of Problem 2c on the first Homework. We present the proof here.
Proof. If a ≡ b mod n then a = kn+ b for some integer k. Similarly, c = `n+ d. Thus
ac = (kn+ b)(`n+ d) = k`n2 + b`n+ dkn+ db
and therefore ac− bd = n(k`n+ b`+ dk) is a multiple of n. Hence ac ≡ bd mod n.
19
Example 4.7. Compute: 93·17 mod 6. Since 93 ≡ 3 mod 6 and 17 ≡ −1 mod 6 we concludethat 93 · 17 = −3 mod 6.
Finally, we discuss exponents and their role in modular arithmetic. It is not true thatwe can reduce the exponents mod n in computations:
210 ≡ 1024 ≡ 4 mod 5
20 ≡ 1 mod 5.
However, two algorithms exist which can help us readily compute high powers of numbersmod n.
In general, the method that works best is successive squaring. Simply compute successivesquares, reducing mod n when necessary. Then use these numbers to compute the desiredpower. This is best illustrated by an example.
Example 4.8. Compute the least positive residue mod 7 of 237. We compute powers, 22 ≡ 424 ≡ 42 ≡ 228 ≡ 22 ≡ 4216 ≡ 42 ≡ 2232 ≡ 22 ≡ 4Thus 237 = 232 · 24 · 21 = 4 · 2 · 2 ≡ 2 mod 7.
4.3 Lots of Practice Problems with Congruences
(The Starred Problems will appear on the next Homework to be Handed-In)
1. Show that the following congruences hold:
13 ≡ 1 mod 2, 111 ≡ −9 mod 40, 69 ≡ 62 mod 7.
2. Show that if a is an odd integer then a2 ≡ 1 mod 8. (Try to find two proofs, one usingmodular arithmetic and one that doesn’t)
3. Find the least positive residue of 1! + 2! + 3! + · · · 100! mod 7
4. Show by mathematical induction that if n is a positive integer then 4n ≡ 1+3n mod 9.
5. Find the least positive residue mod 47 of 2200.
6. ? Show that for every integer n there are infinitely many Fibonacci numbers fk suchthat m divides fk. (Hint: Show that the sequence of least positive residues mod n ofthe fibonacci numbers is a repeating sequence.)
7. ? If a, b, c,m are integers such that m > 0, d = (c,m) and ac ≡ bc mod m thena = b mod m/d.
20
Main Points from Lecture 4:
• How to solve systems of linear diophantine equations using the Euclidean Algorithm
• Basic properties of congruences
5 The Extended Euclidean Algorithm and Linear Mod-
ular Congruences (5.10.2015)
5.1 The Extended Euclidean Algorithm
So far we have only used the Euclidean Algorithm in the classical way: Given a and b, use thealgorithm to find their gcd. We can then back-substitute to find a solution to the equationax + by = gcd(a, b). We now present a way that does this all at once called the ExtendedEuclidean Algorithm.
The basic idea is simple: Given a > b > 1 our goal is to not only find z = gcd(a, b) butalso an integer solution (x, y) ∈ Z2 the equation ax+ by = z. This is done by extending thesteps in the Euclidean Algorithm from the sequence of reminders in successive divisions
r0 > r1 > · · · > rk = gcd(a, b) > rk+1 = 0
to a sequence of integer vectors v−2, v−1, . . . , vk ∈ Z3
v−2 = (x−2, y−2, r−2) = (1, 0, a) ,
v−1 = (x−1, y−1, r−1) = (0, 1, b) ,
v0 = (x0, y0, r0) ,
...
vk = (xk, yk, rk) ∈ Z3
such thataxn + byn = rn for n = −2,−1, 0, 1, . . . , k .
Then (x, y) = (xk, yk) ∈ Z2 is such that
ax+ by = rk = z = gcd(a, b)
as required.
Proposition 5.1. (Extended Euclidean Algorithm) Given a, b ∈ N and z = gcd(a, b), thereexist integers (x, y) ∈ Z2 such that:
ax+ by = z Bezout’s Identity .
21
Proof. As usual, it may be assumed that a > b > 1. For any vectors v = (x, y, r), v′ =(x′, y′, r′) ∈ Z3 such that
ax+ by = r and ax′ + by′ = r′ ∈ Z
(i.e. on the integer plane ax + by − z = 0 in Z3 ⊂ R3 normal to (a, b,−1) ∈ Z3) and anyintegers c, c′ ∈ Z the integer linear combination
v′′ = cv + c′v′ = (cx+ c′x′, cy + c′y′, cr + c′r′) = (x′′, y′′, r′′) ∈ Z3
is also on the integer plane, with
ax′′ + by′′ = a(cx+ c′x′) + b(cy + c′y′)
= c(ax+ by) + c′(ax′ + by′)
= cr + c′r′ = r′′ ∈ Z .
This is called the Principle of Linear Superposition. The formula for constructing thesequence of vectors v0, . . . , vk ∈ Z3 involves the integer linear combinations used to obtainrn+1 from rn and rn−1. By construction, the rn’s are the successive remainders in the divisions
an = qnbn + rn (n = 0, 1, . . . , k + 1)
with the sequence (an, bn) ∈ N2 of pairs such that an > bn > 0 given by the EuclideanAlgorithm
(a0, b0) = (a, b) , r0 = a0 − q0b0(a1, b1) = (b0, r0) , r1 = a1 − q1b1
......
(ak+1, bk+1) = (bk, rk) , rk+1 = 0 (terminate)
such thatan = qnbn + rn for n = 0, 1, . . . , k, k + 1
with z = gcd(a, b) = rk. The remainder rn+1 is obtained from rn and rn−1 by a particularlinear integer combination
rn+1 = an+1 − qn+1bn+1 = rn−1 − qn+1rn .
Use the same linear integer combination to define
vn+1 = vn−1 − qn+1vn ∈ Z3
which coordinate-wise is
xn+1 = xn−1 − qn+1xn , yn+1 = yn−1 − qn+1yn , rn+1 = rn−1 − qn+1rn ∈ Z .
22
You do not have to memorize these formulae in order to implement the Extended EuclideanAlgorithm, assuming that you can implement the Euclidean Algorithm itself. You only needto know the initial values
v−2 = (1, 0, a) , v−1 = (0, 1, b) ∈ Z3
and the idea that the integer linear combinations of the Euclidean Algorithm in the thirdcoordinate govern the iteration of v0, v1, v2, . . . , vk ∈ Z3 in the Extended Euclidean Algo-rithm.
We illustrate with an example: gcd(91, 77).Notice that the following equations hold obviously.
E(−2) : 91(1) + 77(0) = 91, v−2 = (1, 0, 91)
E(−1) : 91(0) + 77(1) = 77, v−1 = (0, 1, 77)
We have written the coefficients to the right. Now notice what happens when we subtractthe second equation from the first E(0) = E(−2)− E(−1).
E(0) : 91(1)− 77(1) = 14, v0 = v−2 − v−1 = (1,−1, 14)
Now we can set E(1) = E(−1)− 5 · E(0):
E(1) : 91(−5) + 77(6) = 7, v1 = (−5, 6, 7)
As 14 = 2.7 we are done:
−5.91 + 6.77 = gcd(91, 77) = 7 .
If you look at the numbers on the right side of the equation, they are simply the remaindersthat come up in the Euclidean Algorithm. Hence 7 is the last nonzero remainder so it is thegcd. Hence we have found 91(−5) + 77(6) = 7. This algorithm can be done rapidly if weignore writing the equations and just work with the vectors.
Example 5.2. Compute gcd(561, 306) using the Extended Euclidean Algorithm: We beginwith the vectors v−2 = (1, 0, 561) and v−1 = (0, 1, 306) and just subtract one from the othersuccessively:
v−2 = (1, 0, 561)
v−1 = (0, 1, 306)
v0 = (1,−1, 255), (v0 = v−2 − v−1)v1 = (−1, 2, 51), (v1 = v−1 − v0)v2 = (6,−11, 0), (v2 = v0 − 5v1).
Thus the gcd is 51 and 561(−1) + 2(306) = 51.
23
5.2 Linear modular congruences
We now solve congruences of the form
ax ≡ c mod n.
Recall that from the definition this means that ax − c = ny for some integer y. Rewritingwe can think of this as a linear diophantine equation
ax− ny = c.
(Notice the roles of the letters is slightly different here than it was before.) Hence for asolution to exist, if d = (a, n), it must be the case that d | c. Further, if one solution (x0, y0)exists then there are infinitely many solutions, given by Theorem 4.1:
x = x0 + (n/d)t, y = y0 + (a/d)t.
Since we are solving a congruence, however, it makes sense to talk about the congruenceclasses which are solutions. In other words, we want to know how many incongruent solutionsthere are to the equation mod n.
Theorem 5.3. If d = (a, n) divides c then the congruence ax ≡ c mod n has exactly dincongruent solutions mod n.
Proof. Let x0 be a solution to the congruence. By the discussion above, we know that allsolutions are of the form x0 + (n/d)t where t ∈ Z. We now see how many of these areincongruent mod n. Suppose that we have
x1 = x0 + (n/d)t1, x2 = x0 + (n/d)t2.
Then x1−x2 = (n/d)(t1−t2). Hence x1 and x2 are congruent mod n if and only if (n/d)(t1−t2)is a multiple of n. This occurs exactly when there exists an integer ` such that (n/d)(t1−t2) =`n. Simplifying we see (t1 − t2) = `d, which is equivalent to
t1 ≡ t2 mod d.
Summing up, the solutions x that are inequivalent mod n are exactly the ones that havecorresponding values of t that are inequivalent mod d. There are d such classes for t, whichproves the theorem.
Note the special case when d = (a, n) = 1.
Corollary 5.4. If (a, n) = 1 then the congruence ax = c mod n has a unique solution.
An Algorithm: To solve a congruence of the form ax ≡ c mod n we can proceedalgorithmically:
First we check the necessary condition that d = (a, n) divides c.
24
If so, then we expect there to be d distinct solutions mod n. To find one of these, write
d = ax0 + ny0
Then going mod n, we see that x0 is a solution to the congruence.The set of all solutions is then
{x0, x0 + (n/d), x0 + 2(n/d), . . . , x0 + (d− 1)(n/d)} = {x0 + t(n/d) | 0 6 t 6 d− 1} .
Example 5.5. To find all solutions to 9x ≡ 12 mod 15, we first check that d = (9, 15) = 3indeed divides 12. By the Theorem there will be 3 inequivalent solutions. By the EuclideanAlgorithm, we see that
d = 15(−1) + (2)(9).
Hence 9(2) ≡ 3 mod 15 and thus 9(8) ≡ 12 mod 15. Thus x = 8 is a solution. All solutionswill therefore be of the form 8+(15/3)t = 8+5t for t = 0, 1, 2. Hence the congruence classesof the solutions are 3, 8, 13.
Main Points from Lecture 5:
• Using the Extended Euclidean Algorithm to write gcd(a, b) as an integer combinationof a and b.
• The number of solutions to the congruence ax ≡ c mod n is d = (a, n).
• All solutions are of the form x0 + t(n/d) for t = 0, 1, . . . , d− 1.
6 Modular Inverses and the Chinese Remainder The-
orem (8.10.2015)
A solution x0 mod n to the congruence ax0 ≡ 1 mod n is called an inverse of a mod n,written
x0 ≡ a−1 mod n .
By Corollary 5.4, this solution is unique. Inverses are incredibly useful, because if you haveone, then it allows you to easily solve all other congruences, by ‘reverse engineering’: theequation ax ≡ b mod n is solved by x ≡ a−1b mod n, that is x ≡ x0b mod n. But beware:this only works if a−1 mod n is actually defined, i.e. if gcd(a, n) = 1.
Example 6.1. Find all solutions to 7x ≡ 1 mod 31. We use the Extended Euclidean Algo-rithm to determine that
(31)(−2) + 7(9) = 1
so that 9 = 7−1 mod 31, and x ≡ 9 mod 31.
25
An important special case is when n = p is a prime number. In this case, every nonzeronumber a has a unique inverse. For example, we list the inverses mod 11 in the followingtable
a 1 10 2 3 5 7a−1 1 10 6 4 9 8
Notice in this table we have chosen the representatives {1, 2, 3, 4, 5, 6, 7, 8, 9, 10} to representthe nonzero congruence classes mod p. However, if we chose {−1,−2,−3,−4,−5, 1, 2, 3, 4, 5},the table would be:
a 1 −1 2 3 5 −4a−1 1 −1 −5 4 −2 −3
Theorem 6.2. A number a is equal to its own inverse mod p if and only if a ≡ ±1 mod p.
Proof. Since 12 = (−1)2 = 1, we see that ±1 are their own inverses. To see that there are noothers, notice that a2 ≡ 1 mod p means that a2−1 is a multiple of p. But then p must divide(a+ 1)(a− 1) meaning that p must divide either a+ 1 or a− 1. Hence a ≡ ±1 mod p.
Theorem 6.3. [Chinese Remainder Theorem] Given m1, . . . ,mk ∈ N with gcd(mi,mj) =1 (i 6= j) (“pairwise coprime”), and a1, . . . , ak ∈ Z, then the system of congruences
x ≡ a1 mod m1
x ≡ a2 mod m2
...
x ≡ ak mod mk
has a solution x ∈ Z.
Proof. In fact x can be constructed explicitly. For i = 1, . . . , k define m∗i to be the inversemodmi of m1 . . .mi−1mi+1 . . .mk, so that
m1 . . .mi−1m∗imi+1 . . .mk ≡ 1 mod mi.
Then x =∑k
i=1 aim1 . . .mi−1m∗imi+1 . . .mk ≡ ai mod mi for i = 1, . . . , k, because every
term except the ith is divisible by mi.
Remark 6.4. Notice that if n ∈ N with n =∏k
i=1 peii where pi are distinct primes. Then
x ≡ a mod n is the unique solution to the system of congruences
x ≡ a mod peii , i = 1, . . . , k.
Indeed, (x− a) is divisible by n if and only if it is divisible by peii for all i.
Then, if x0 is one solution to this set of congruences, it’s easy to see (how?) that thegeneral solution is x = x0+`m1 · · ·mk for any integer `. In particular, there is always a choiceof ` giving a unique solution x in the range 0 6 x < m1 · · ·mk of the set of congruences.
26
6.1 Examples and Exercises
Example 6.5. This example comes from the ancient Chinese puzzle (third century C.E.) inMaster Sun’s Mathematical Manual. Find a number that leaves a remainder 1 whendivided by 3, a remainder of 2 when divided by 5 and a remainder of 3 when divided by 7.
This system of equations is
x ≡ 1 mod 3
x ≡ 2 mod 5
x ≡ 3 mod 7.
We have k = 3 equations, so following the solution in the theorem, we form all products ofk − 1 = 2 moduli and compute inverses.
(m1) ≡ (5 · 7)−1 mod 3
(m2) ≡ (3 · 7)−1 mod 5
(m3) ≡ (3 · 5)−1 mod 7
We can check that these numbers are (m′1,m′2,m
′3) = (2, 1, 1). Hence
x = (1) · 2 · 5 · 7 + (2) · 3 · 1 · 7 + (3) · 3 · 5 · 1 = 70 + 42 + 45 = 157.
Is a solution. Furthermore, since 2 · 5 · 7 = 105 all solutions are of the form 157 + 105n. Inparticular, the smallest positive solution is x = 52.
There is also an iterative way to find a solution
Example 6.6.
x ≡ 1 mod 5
x ≡ 2 mod 6
x ≡ 3 mod 7.
The first equation says x = 5t+ 1, and hence the second says 5t+ 1 ≡ 2 mod 6. This is thesame as
5t ≡ 1 mod 6
we can multiply both sides by 5 (the inverse of 5) to obtain
t ≡ 5 mod 6 .
Hence t = 6s+ 5, so that x = 30s+ 26. Finally we substitute in to obtain
30s+ 26 ≡ 3 mod 7
2s ≡ 5 mod 7
s ≡ 6 mod 7.
Thus s = 6, and x = 30(6) + 26 = 206.
27
This second method allows an algorithm for solving systems of congruences even in thecase when the mi are not relatively prime (when a solution exists. See Exercises 15-20 inRosen 4.3) For this course it is important to know the statement and proof of the ChineseRemainder Theorem. For solving practical problems, either method is acceptable.
Remark 6.7. Notice that we can in fact solve any system of congruences of the form ax =b mod m using the methods above, provided that a has an inverse mod m. The first step isjust to multiply both sides of the congruence by a−1.
6.2 Exercises
1. Find all the solutions of
•
x ≡ 4 mod 11
x ≡ 3 mod 17
•
x ≡ 0 mod 2
x ≡ 0 mod 3
x ≡ 1 mod 5
x ≡ 6 mod 7.
2. Show that if (a, b) = 1 and c is an integer, then there exists an integer n such that(an+ b, c) = 1.
3. Solve the system:
x ≡ 4 mod 6
x ≡ 13 mod 15
Note that the moduli are NOT relatively prime.
Main Points from Lecture 6:
• The inverse of a exists mod n if and only if (a, n) = 1.
• If ax+ ny = 1 then x is the inverse of a mod n.
• Method and proof of the Chinese Remainder Theorem
28
7 Solving Polynomial Equations and Hensel’s Lemma
(12.10.2015)
Let’s begin with a one sentence summary of what the Chinese Remainder Theorem saysfrom last time:
Knowing a number x mod N is equivalent to knowing x mod each of the prime powers pejj
in N = pe11 pe22 . . . pekk .
For example, knowing that x ≡ 27 mod 30 is the same as knowing
x ≡ 1 mod 2, x ≡ 0 mod 3, x ≡ 2 mod 5.
Example 7.1. How many solutions x mod pq does the equation x2 ≡ 1 mod pq have, wherep and q are distinct odd primes?
Solution: By the CRT we know that this is equivalent to finding solutions of the formx2 ≡ 1 mod p and x2 ≡ 1 mod q. These each have exactly two solutions: +1,−1. (We areexcluding the case p = 2 because in this case 1 = −1). Hence in total there are four possiblesystems of congruences, so in total there are 4 solutions.
For example the square roots of 1 mod 77 are equal to {1, 34, 43, 76}More generally, we can show that if N = p1 · · · pk is a product of distinct odd primes then
x2 ≡ 1 mod N has 2k distinct solutions mod N . We say that 1 has 2k square roots.
This motivates a question: If we know x mod p, what can we say about x mod p2?
Example 7.2. Solve the polynomial congruence 2x3 + 7x− 4 ≡ 0 mod 200.Solution: Notice that 200 = 23 ·52 = 8 ·25 This problem is equivalent to solving the system
of equations2x3 + 7x− 4 ≡ 0 mod 8
2x3 + 7x− 4 ≡ 0 mod 25.
We can check that x ≡ 4 mod 8 (just by trial and error) and later today we’ll show thatx ≡ 16 mod 25. These two linear equations combine by the CRT to show that the solution isx ≡ 116 mod 200.
The CRT provides a very effective way of chopping up a problem into smaller piecesby turning the problem “Solve f(x) ≡ 0 mod n” into a system of problems “Solve f(x) ≡0 mod peii ” if n =
∏peii . In this section we will develop a method for solving polynomial
equations of the form f(x) = 0 mod pe.Continuing the example, notice that to solve the equation 2x3 + 7x − 4 mod 5 we only
need to test 0, 1, 2, 3, 4. This is reasonably quick. And we see that all solutions satisfyx ≡ 1 mod 5. However, we’d like to avoid check all the numbers 0, . . . , 24 to solve thisequation mod 25. Notice that any solution x to
2x3 + 7x− 4 ≡ 0 mod 25
29
is also a solution mod 5. Hence x ≡ 1 mod 5. Hence x = 5t+ 1. Substituting we see that
2(5t+ 1)3 + 7(5t+ 1)− 4 ≡ 0 mod 25
2(���(5t)3 + �����3 · (5t)2 + 3 · 5t+ 1) + 35t+ 7− 4 ≡ 0 mod 25.
2(3 · 5t+ 1) + 35t+ 7− 4 ≡ 0 mod 25.
65t+ 5 ≡ 0 mod 25.
15t+ 5 ≡ 0 mod 25.
(Notice that everything on the left was divisible by 5). We can eliminate a factor of 5 byExercise 4.3.7. Hence
3t+ 1 ≡ 0 mod 5.
which has t ≡ 3 mod 5 is its unique solution. Hence x ≡ 16 mod 25 is the unique solutionto our original equation. We say that x ≡ 16 mod 25 is a “lift” of the solution x ≡ 5 mod 5.
Hensel’s Lemma is a number theory version of Newton’s calculus method of approxi-mating a solution of a differential equation f(x) = 0 by using Taylor’s theorem. If x0 isan approximate solution with f ′(x0) 6= 0 then the graph y = f(x) can be replaced near(x0, f(x0)) by the tangent line
y = f(x0) + (x− x0)f ′(x0) .
The tangent line intersects the x-axis y = 0 at
x1 = x0 −f(x0)
f ′(x0)
which with luck is either a solution or at least a better approximate solution, meaning thateither f(x1) = 0 or |f(x1)| < |f(x0)| with f ′(x1) 6= 0. Now proceed in this way, defining asequence of ever better (hopefully!) approximations
xn+1 = xn −f(xn)
f ′(xn)(n = 0, 1, 2 . . . ) (∗)
with the limitx∞ = lim
nxn
defined, and such that f(x∞) = 0. The number theory version is for a polynomial function
f(x) =
j∑i=0
aixi (ai ∈ Z)
in which one seeks integer solutions x ∈ Z of f(x) = 0 ∈ Z. The derivative is then again apolynomial function with integer coefficients
f ′(x) =n∑i=1
iaixi−1 .
30
However, in number theory the passage from one approximation to another is rather morecomplicated than (∗), and proceeds mod prime powers pk for each prime p separately, andk = 1, 2, . . . . In the first instance, we only consider one prime p, and how to lift7 a solutionr mod pk−1 to a solution s mod pk, if possible.
Theorem 7.3. (Hensel’s Lemma) Suppose that f(x) is a polynomial with integer coefficientsand k is an integer with k > 2. Suppose further that r ∈ Z is a solution of the congruencef(r) ≡ 0 mod pk−1. Then there are three possibilities for the number of solutions s mod pk
of f(s) ≡ 0 mod pk which are lifts of r mod pk−1. There are 1, p or 0 solutions, accordingto:
1. if f ′(r) 6≡ 0 mod p there is a unique solution s mod pk of f(s) ≡ 0 mod pk liftingr mod pk−1. There is a unique integer t (0 6 t 6 p− 1) such that
t ≡ −f ′(r)∗(f(r)/pk−1) mod p
where f ′(r)∗ is the inverse of f ′(r) mod p. The unique solution is the mod pk reductions = r + tpk−1 ∈ Z;
2. if f ′(r) ≡ 0 mod p and f(r) ≡ 0 mod pk, there are p solutions s mod pk of f(s) ≡0 mod pk lifting r mod pk−1. The p solutions are the p lifts s = r + tpk−1 mod pk
(0 6 t 6 p− 1) of r mod pk−1;
3. if f ′(r) ≡ 0 mod p and f(r) 6≡ 0 mod pk, then there are no solutions, i.e. there is nos ∈ Z such that f(s) ≡ 0 mod pk and s mod pk is a lift of r mod pk−1.
Example 7.4. 1. Let p = 2, f(x) = x + 1, so that r = 1 ∈ Z is a solution of f(r) ≡0 mod 2, with f(r) = 2 ∈ Z, f ′(r) = 1 6≡ 0 mod 2. Then t = 1 is the unique integerwith 0 6 t < 2 such that
t ≡ −f ′(1)∗(f(1)/2) mod 2
and s = 1 + 2 = 3 mod 4 is the unique solution of f(s) ≡ 0 mod 4 lifting 1 mod 2.
2. Let p = 2, f(x) = x2 − 1, so that r = 1 ∈ Z is a solution of f(r) ≡ 0 mod 2,with f(r) = 0 ∈ Z, f(r) ≡ 0 mod 4, f ′(r) ≡ 0 mod 2. Then for any integer t ∈ Zs = 2t + 1 ∈ Z is such that f(s) ≡ 0 mod 4 and s mod 4 is a lift of 1 mod 2. Thereare two solutions s mod 4 of f(s) ≡ 0 mod 4 lifting r ≡ 1 mod 2, namely s ≡ 1 mod 4and s ≡ 3 mod 4.
3. Let p = 2, f(x) = x2 + 1, so that r = 1 ∈ Z is a solution of f(r) ≡ 0 mod 2, withf(r) = 2 ∈ Z, f(r) 6≡ 0 mod 4, f ′(r) ≡ 0 mod 2. There is no solution s ∈ Z off(s) ≡ 0 mod 4, let alone one which lifts 1 mod 2.
The Wikipedia article on Hensel’s Lemma is recommended as background reading.
7By definition, s mod pk is a lift of r mod pk−1 if r is the reduction of s. Every r mod pk−1 has p liftss = s0 + tpk−1 mod pk (0 6 t 6 p− 1), with s0 mod pk any one lift.
31
7.1 A fireside Chat With Hensel’s Lemma
It’s fair to say that the statement of Hensel’s Lemma is a bit intimidating - but that doesn’tmean that the concept is difficult. Hopefully the following chat between Hensel’s Lemmaand some guy named Earle will help with the concept.
Earle: So what’s the deal with you, anyway?
HL: Well, I provide a method of telling how many solutions you have mod p2 given so-lutions mod p.
Earle: Is that it?
HL: Well, I can inductively be used to find solutions mod p3, p4, and on and on. In anadvanced course, you might wonder if there’s a limit term at p∞, and the answer is YES,and that concerns the p-adics and ...
Earle: Whoa, let’s worry about that in the advanced course. So tell me, in layman’sterms what your lemma does.
HL: Well suppose you’ve got a polynomial, and all you know is the following table ofnumbers
x 0 1 2 3 4f(x) 10 1 6 −7 25
Then what are the solutions to f(x) ≡ 0 mod 5?
Earle: Well you just have to check the equivalence classes, so it looks like x ≡ 0 andx ≡ 4 are the only solutions.
HL: Good. Now what can you say about the solutions to f(x) ≡ 0 mod 25?
Earle: Well I don’t know. I mean I know that x has to be 0 or 4 mod 5. So that means xhas to be either 0, 5, 10, 15, 20 or 4, 9, 14, 19, 24.
HL: Do you know anything else?
Earle: Well from the given information I guess I know that f(4) = 25 so f(4) ≡ 0 mod 25.So that’s one solution. And I know that f(0) = 10 so 0 is NOT a solution mod 25.
HL: Good. That’s really all you can say. But now what if I told you that f ′(0) = 2?
Earle: Oh, then the theorem says that f(x) ≡ 0 mod 25 should have a unique solution... orsomething, right? But I don’t remember the formula, there’s a t and a r + tpk−1 blech.
32
HL: Mostly right. It says that there is a unique solution with x congruent to 0 mod 5.So only one of the numbers 0, 5, 10, 15, 20 is going to be a solution. And check out Corollary8.3 for a more convenient way to work. This wasn’t written on the board during class, butit’s very helpful. It says that a solution mod 25 will just be given by
r2 = r − f ′(r)∗f(r)
In other words, take the root from the previous step and then subtract off a correction term.
Earle: This is like Newton’s method, isn’t it?
HL: It is indeed! Sor2 = 0− ((2)∗)(10)
Earle: Wait a second, when you take the inverse of 2, is that mod 5 or mod 25?
HL: Well it turns out that it won’t matter, but in the statement of the lemma, this in-verse business is ALWAYS just mod p. So yea, you just want the inverse mod 5.
Earle: Ok, so r2 = 0− (3)(10) = −30 which is −5 mod 25 which is 20 mod 25. Pretty cool.I don’t even have to check those other candidates among 0, 5, 10, 15, 20. I know that 20 hasgot to be the solution.
HL: Ok, now what if I told you that f ′(4) = 0.
Earle: Oh that’d be a sad day.
HL: Not so much. My Theorem says that if f ′(4) is zero - then either ALL of the liftsof 4 are solutions, or NONE of the lifts are solutions.
Earle: Oh, so I could just check one to see whether or not it was a solution.
HL: Yea, and you may as well just check 4 itself.
Earle: Ok f(4) = 25 ≡ 0 mod 25 so that means we have one solution, so they must allbe solutions! So all of 4, 9, 14, 19, 24 are solutions.
HL: Yep. And summing up, that means that 20 and 4, 9, 14, 19, 24 are the solutions mod25.
Earle: That was pretty easy. Can we do another step?
33
HL: Sure. To lift that 0 mod 5 solution we can just do another round of that formula:
r3 = r2 − f ′(r)∗(f(r2))
where r was the original solution mod 5.
Earle: Wait wait, this is the part that really confuses me. First of all didn’t you meanto put an r2 into that f ′(r)∗ term?
HL: Well I could have, but it won’t make a difference. Remember, r2 and r are the samemod 5. So that means that f ′(r) and f ′(r2) are the same mod 5. And since we take ourinverses mod 5, this is all that matters.
Earle: Oh ok. Ohhh so that inverse term... it’s gonna be 3 again, cause at every stepI’m just applying f ′(0)∗? So
r3 = 20− 3f(20)
HL: Looks good to me.This concludes our fireside chat with Hensel’s Lemma. I hope this has been helpful.
Main Points from Lecture 7:
• How to apply the Chinese Remainder Theorem to solving equations mod N via fac-torization.
• The statement and application of Hensel’s Lemma.
8 The Proof of Hensel’s Lemma and Example (15.10.2015)
To prove Hensel’s Lemma we will need the following Integrality Lemma on the Taylor seriesof a polynomial with integer coefficients. Notice that this Taylor series is finite since thederivatives of a polynomial are eventually all zero. Indeed, if f(x) is a polynomial of degreen then the (n+ 1)-st derivative f (n+1)(x) is always zero. Furthermore, the converse is true:if a differentiable function f : R → R is such that f (n+1)(x) = 0 for all x ∈ R then f is adegree n polynomial with real coefficients. This being a course on number theory we areonly concerned with functions f : Z→ Z, and polynomials with integer coefficients.
Lemma 8.1. (Integrality Lemma) If f(x) is a polynomial of degree n with integer coefficientsthen
f(a+ b) = f(a) + f ′(a)b+f ′′(a)
2!b2 + · · ·+ f (n)(a)
n!bn
34
where the coefficients f(a), f ′(a),f ′′(a)
2!, . . . ,
f (n)(a)
n!are polynomials in a with integer coeffi-
cients.
Proof. All but the integrality of the coefficients follows from the Taylor expansion about thepoint x = a. To see that the coefficients are integers consider first the special case of a degreem ‘monomial’ f(x) = xm, when
f (k)(a)
k!=
m(m− 1) . . . (m− k + 1)
k!xm−k =
(m
k
)xm−k if 0 6 k 6 m
0 if k > m .
For the general case of a degree n polynomial
f(x) =n∑
m=0
cmxm (cm ∈ Z)
we havef (k)(a)
k!=
n∑m=0
cm
(m
k
)xm−k (with xm−k = 0 if k > m) .
Example 8.2. For a cubic polynomial with integer coefficients
f(x) = c0 + c1x+ c2x2 + c3x
3 (c0, c1, c2, c3 ∈ Z)
and any a, b ∈ Z
f(a+ b) = c0 + c1(a+ b) + c2(a+ b)2 + c3(a+ b)3
= (c0 + c1a+ c2a2 + c3a
3) + (c1 + 2c2a+ 3c3a2)b+ (c2 + 3c3a)b2 + c3b
3
= f(a) + f ′(a)b+f ′′(a)
2!b2 +
f ′′′(a)
3!b3
withf(a) = c0 + c1a+ c2a
2 + c3a3 , f ′(a) = c1 + 2c2a+ 3c3a
2 ,
f ′′(a)
2!= c2 + 3c3a ,
f ′′′(a)
3!= c3
polynomials in a with integer coefficients.
Proof of Hensel’s Lemma. Recall that we are assuming that r is a solution of f(r) ≡ 0 modpk−1. We seek solutions mod pk that are congruent to r mod pk−1. In other words, we arelooking for solutions mod pk of the form s = r + tpk−1. We will seek precise conditions fort. Notice that the Integrality Lemma 8.1 says
f(r + tpk−1) = f(r) + f ′(r)tpk−1 +f ′′(r)
2!t2p2k−2 + · · ·
35
with integer coefficientsf (k)(r)
k!. Notice that all terms but the first two are zero mod pk
(since k > 2). Hencef(r + tpk−1) ≡ f(r) + f ′(r)tpk−1 mod pk.
Since we are assuming r + tpk−1 is a solution mod pk the left hand side is zero and we canconclude that
f ′(r)tpk−1 ≡ −f(r) mod pk.
But we are assuming that f(r) ≡ 0 mod pk−1 so dividing the equation
f ′(r)tpk−1 = − f(r) + npk ∈ Z (for some n ∈ Z)
by pk−1 we see thatf ′(r)t ≡ −f(r)/pk−1 mod p .
Now we just examine cases. If f ′(r) is nonzero mod p then this equation must have a uniquesolution for t
t ≡ −f ′(r)∗f(r)/pk−1 mod p
where the ∗ denotes inverse mod p. This establishes part 1. of Hensel’s Lemma.So suppose that f ′(r) ≡ 0 mod p. Then the equation is of the form
0t ≡ −f(r)/pk−1 mod p.
If the right hand side is nonzero, this has no solutions. If the right hand side is zero, thenany value of t gives a solution, proving 2. And if the right hand side is non-zero, then novalue of t gives a solution, proving 3.
One Corollary of Hensel’s Lemma provides a particularly easy method for computing“lifts” of solutions mod p.
Corollary 8.3. Suppose that r is a solution to f(r) ≡ 0 mod p where p is prime. If f ′(r) 6=0 mod p then there is a unique solution rk mod pk for each k = 2, 3, . . . such that
rk = rk−1 − f(rk−1)f′(r)∗.
where f ′(r)∗ is the inverse of f ′(r) mod p.
Proof. We see from the hypotheses of Hensel’s lemma that we are in Case 1. Hence r liftsto a unique solution r2 mod p2 with r2 = r + tp with t = −f ′(r)∗(f(r)/p) mod p. Hence
r2 = r − f ′(r)∗(f(r)) mod p2 .
It follows from f(r) ≡ 0 mod p that r2 ≡ r mod p, and hence that
f ′(r2) ≡ f ′(r) 6= 0 mod p .
Using Hensel’s Lemma again, we see that the unique solution mod p3 is then
r3 ≡ r2 − f(r2)f′(r)∗ mod p3 .
Continuing this way we see that we can obtain solutions mod pk for all k.
36
Example 8.4. Find the solutions of
x3 + x2 + 29 ≡ 0 mod 25.
Solution: Let f(x) = x3 + x2 + 29. Then the solutions mod 5 are x ≡ 3 mod 5. Sincef ′(x) = 3x2 + 2x, we have f ′(3) ≡ 3 6= 0 mod p. Also f(3) = 15 Hence the unique solutionmod 25 is
r2 ≡ 3− 15(3)−1 ≡ 3− 15(2) ≡ −27 ≡ 23
is the unique solution mod 25.
I have posted in the “Background material” directory of LEARN a scan of Section 4.4of Rosen’s Elementary Number Theory and Its Applications which has a few moreexamples worked out in detail.
8.1 Exercises
1. Find all solutions to x2 + 4x+ 2 = 0 mod 73.
2. Find all solutions to x2 + x+ 34 = 0 mod 81.
3. How many incongruent solutions are there to x5 + x− 6 ≡ 0 mod 144?
Main Points from Lecture 8:
• The method and proof of Hensel’s Lemma.
9 The finite field Fp (19.10.2015)
For the next two weeks we will be studying in detail the integers mod p, where p is prime.The set of congruence classes mod p forms a field, which we now review:
9.1 Fields
A field F is a set supplied with two binary operations ‘+’ and ‘×’ (i.e., maps from F × Fto F ), and containing special elements 0 and 1 such that
• F is an abelian group under + (meaning that a+ b = b+ a ∈ F for all a, b ∈ F ), with0 as its identity element, and −a as the (additive) inverse of a ∈ F ;
• F× = F \ {0} is an abelian group under ×, with 1 as the identity element, and a−1
the (multiplicative) inverse of a ∈ F×;
37
• The Distributive Law holds: for all a, b, c ∈ F we have
a× (b+ c) = a× b+ a× c.
This describes how + and × interact in F .
As a consequence of these rules, we can show (won’t prove)
Proposition 9.1. For a, b ∈ F we have
• a× 0 = 0;
• a× (−b) = −(a× b);
• Cancellation Law: if a× b = 0 then a = 0 or b = 0 (or both).
Examples of fields are: the complex numbers C, the real numbers R, the rational numbersQ, and the finite fields Fp for p prime – see below.
9.1.1 Construction of Fp
Start with the integers Z and a prime p, and define an equivalence relation on Z by sayingthat two integers a and b are equivalent if a ≡ b mod p. This defines an equivalence relationon Z. The elements of Fp are the equivalence classes under this relation. Taking equiva-lence class representatives to be 0, 1, 2, 3, . . . , p − 1, we can effectively regard Fp as the set{0, 1, 2, 3, . . . , p− 1}. Addition, negation, multiplication and reciprocals are performed modp, so that the result can always be chosen to be in {0, 1, 2, 3, . . . , p− 1}.
For example, in F7, 3 + 4 = 0 as in Z we have 3 + 4 = 7 ≡ 0 mod 7. Hence also −3 = 4and −4 = 3 in F7. Further, because 3× 5 = 15 ≡ 1 mod 7, we have 3−1 = 5 and 5−1 = 3 inF7.
9.2 Solving equations in Fp
For any field F let F [x] be the set of polynomials f(x) =m∑i=0
aixi in x with coefficients ai ∈ F ,
for variable m > 0. The set F [x] has both addition and multiplication
+ : F [x]× F [x]→ F [x] ; (f(x), g(x)) = (m∑i=0
aixi,
n∑j=0
ajxj)
7→ f(x) + g(x) = (f + g)(x) =max(m,n)∑k=0
(ak + bk)xk ,
. : F [x]× F [x]→ F [x] ; (f(x), g(x)) = (m∑i=0
aixi,
n∑j=0
ajxj)
7→ f(x)g(x) = (fg)(x) =m∑i=0
n∑j=0
aibjxi+j .
38
but not division. (F [x] is a ‘ring’ which is not a field). The degree of a polynomial
f(x) =m∑i=0
aixi is
degree(f(x)) = the largest i 6 m such that ai 6= 0 ∈ F .
Note thatdegree(f(x) + g(x)) 6 max(degree(f(x)), degree(g(x))) ,
degree(f(x)g(x)) = degree(f(x)) + degree(g(x)) .
We now restrict our congruences to a prime modulus p, and consider the solutions ofequations f(x) = 0 for f(x) ∈ Fp[x] and x ∈ Fp. This is equivalent, for f(x) ∈ Z[x], ofsolving f(x) ≡ 0 mod p for x ∈ {0, 1, 2, . . . , p− 1}.
Theorem 9.2. A nonzero polynomial f ∈ Fp[x] of degree n has at most n roots x in Fp.
Proof. Use induction: for n = 1, f(x) = ax + b say, with a 6= 0, whence f(x) = 0 has asolution x = −a−1b in Fp.
Now assume n > 1 and that the result holds for n. Take f(x) ∈ Fp[x] of degree n+ 1. Iff = 0 has no roots x ∈ Fp the result is certainly true. Otherwise, suppose f(b) = 0 for someb ∈ Fp. Now divide x−b into f(x), (i.e., one step of the Euclidean algorithm for polynomials)to get f(x) = (x− b)f1(x) + r say, where f1 is of degree n, and r ∈ Fp. Putting x = b showsthat r = 0. Hence f(x) = (x− b)f1(x), where f1 has, by the induction hypothesis, at mostn roots x ∈ Fp. So f has at most n + 1 roots x ∈ Fp, namely b and those of f1 = 0. Hencethe result is true for n+ 1 and so, by induction, true for all n > 1.
Note that the proof, and hence the result, holds equally well when Fp is replaced by anyfield F .
Question. Where in the above proof was the fact that we were working over a fieldused? There were two places. Once in the base case when n = 1 and then once again whenwe concluded that if (x− b)f1(x) = 0 then either one of the factors must equal zero.
Remark 9.3. Note that this theorem is not true if we work mod a composite number. Forinstance, the polynomial x2 − 1 has 4 roots mod 15. It’s instructive to really think the aboveproof through using this polynomial to see where it breaks down. Notice also that
x2 − 1 = (x− 1)(x+ 1) = (x− 4)(x+ 4)
has two different factorizations!
9.3 Some Special Congruences - Wilson’s Theorem and Fermat’sTheorem
We now prove some special congruences that will be useful for the rest of the course.
Theorem 9.4 (Wilson’s Theorem). If p is prime then (p− 1)! ≡ −1 mod p.
39
Proof. Recall that by Theorem 6.2 the only numbers that are their own inverse mod p are 1and p− 1. Hence if we rearrange the terms
(p− 1)! = 1 · 2 · · · (p− 1) = 1 · (p− 1) · (2 · 2−1) · · · (a · a−1)
where on the right we have paired each number a with its inverse. It’s clear that this productis equal to (p− 1) · (1 · · · 1) ≡ −1 mod p.
Theorem 9.5. [Fermat’s Little Theorem] If p is a prime then for all integers a, ap ≡a mod p. If further, a 6≡ 0 mod p then ap−1 ≡ 1 mod p.
Proof. Notice that the second statement follows from the first by multiplying both sides bya−1 (which exists if and only if a 6≡ 0 mod p.) To prove the first statement we argue byinduction. Clearly the statement if true if a = 0. Now notice that by the binomial theorem
(a+ 1)p = ap +
(p
1
)ap−1 +
(p
2
)ap−2 + · · ·+
(p
p− 1
)a+ 1.
Recall that(pk
)is divisible by p for 1 6 k 6 p− 1 (Why?). Hence
(a+ 1)p ≡ ap + 1 mod p.
Now by induction we have(a+ 1)p ≡ a+ 1.
This proves the result for all positive integers, and since this is a statement about congru-ences, this takes care of all the equivalence classes (including the class of negative ones).
In class, we used Fermat’s Theorem to provide another proof of Wilson’s Theorem. Seeif you can fill in the details! The rough outline is that Fermat’s Theorem says that eachnonzero element of Fp is a solution to the equation xp−1 − 1 = 0. Now use the fact thatyou’ve found p− 1 roots of this equation, and a little factorization to finish the job!
Main Points from Lecture 9:
• Definition and basic properties of a field
• Definition of Fp
• The number of roots in Fp of a polynomial of degree n is at most n
• Statement and two proofs of Wilson’s Theorem
• Statement (and your favorite proof) of Fermat’s Little Theorem
40
10 Primitive Roots and the Structure of Fp (22.10.2015)
10.1 A Warmup for Things to Come:
We start today with defining theEuler ϕ-function: this is is the number of positive integersnot exceeding n that are coprime to n
ϕ(n) = the number of a such that 1 6 a 6 n and greatest common divisor (a, n) = 1 .
Example 10.1. The values of ϕ(n) of the numbers n with 1 6 n 6 12.
n 1 2 3 4 5 6 7 8 9 10 11 12ϕ(n) 1 1 2 2 4 2 6 4 6 4 10 4
We will study this function in more detail next week, but for today we note one beautifulproperty of ϕ:
Theorem 10.2. If n ∈ N then ∑d|n
ϕ(d) = n.
Proof. This proof is pretty intuitive. We want to show that a sum of a bunch of numbers isequal to n. A good way to show something like this is to establish a bijection between thenumbers {1, . . . , n} and the things you are trying to count. For us, we are going to do thefollowing: To each integer 1 6 a 6 n, compute (a, n). This is certainly some number d thatdivides n. Now the following equation is obvious:∑
d|n
#{a | (a, n) = d} = n
Indeed, every number from 1 to n appears in exactly one of the sets. On the other hand,it’s easy to see that
#{a | (a, n) = d} = ϕ(n/d)
since if (a, n) = d then (a/d, n/d) = 1. (Conversely, if (b, n/d) = 1 then (bd, n) = d.)Therefore:
n =∑d|n
ϕ(n/d).
Now whether we sum ϕ(d) or ϕ(n/d) we should get the same thing.
This is one of those proofs for which working through it with an example in mind is veryhelpful.
41
Example 10.3. In this table for each divisor d|12 the second row groups together all thenumbers 1 6 a 6 12 with greatest common divisor d:
d 1 2 3 4 6 12a 1, 5, 7, 11 2, 10 3, 9 4, 8 6 12
12/d 12 6 4 3 2 1ϕ(12/d) 4 2 2 2 1 1
Each a = 1, 2, . . . , 12 appears exactly once in the second row, verifying that∑d|12
#{a | (a, 12) = d} = 12 .
The numbers in the fourth row are the number of elements in the corresponding entry of thesecond row, verifying that
#{a | (a, 12) = d} = #{a/d | (a/d, 12/d) = 1} = ϕ(12/d) ,
and hence that ∑d|12
ϕ(12/d) = 12 .
10.2 Fp and its groups under + and ×We are now going to explore the structure of the field Fp, using the rudiments of grouptheory. Only cyclic groups are actually required.
Recall:
Definition 10.4. A group G is a set with a product operation
G×G→ G ; (g, h) 7→ gh
and an identity element 1 ∈ G such that
• the product is associative (gh)i = g(hi) ∈ G for all g, h, i ∈ G,
• g1 = 1g = g ∈ G for each g ∈ G,
• for each g ∈ G there exists an inverse g−1 ∈ G such that gg−1 = g−1g = 1 ∈ G.
Definition 10.5. A group G is abelian if gh = gh ∈ G for all g, h ∈ G.
In fact, we shall only need to consider abelian groups in this course.
Definition 10.6. Let G be a group. We say that an element g ∈ G generates G if the setof powers of g and g−1 is equal to all of G. If such a g exists, we say that G is cyclic andwe write G = 〈g〉.
42
Note that a cyclic group G is necessarily abelian, since for any m,n ∈ Z
gmgn = gm+n = gngm ∈ G .
Definition 10.7. If g ∈ G, we say that the order of g is the smallest positive integer n suchthat gn = 1, or infinity if gn 6= 1 for all n > 1.
Example 10.8. (i) The integers Z with respect to addition are an infinite cyclic group, withidentity 0 ∈ Z. The generator 1 ∈ Z has infinite order.(ii) For any n > 1 the integers mod n with respect to addition are a finite cyclic group Zn,with identity 0 ∈ Zn. The generator 1 ∈ Zn has order n.
There is a close connection between the order of a group element and the greatest commondivisor in number theory:
Proposition 10.9. For any group G, if g ∈ G has order n than gk ∈ G has order n/(n, k)
Proof. The first value of j = 1, 2, 3, . . . such that (gk)j = 1 ∈ G is also the first value of jsuch that n | kj, and this is j = n/(n, k).
A finite group G is cyclic if and only if there is an element g ∈ G with order equal to thenumber of elements in G.
Notice that by definition, in a field F there are two groups: the additive group (F,+),with 0 as the identity element, and the multiplicative group (F×,×), with F× = F\{0} and1 as the identity element.
For the finite field Fp the additive group (Fp,+) is fairly simple to describe. It is acyclic group of order p, with every non-zero element a generator. The multiplicative group(F×p ,×) is also cyclic (as proved in the next section), but of order p− 1, and only some non-identity elements are generators. Note the essential difference between the orders ofelements in the additive and multiplicative groups. In the workshop you will workout several examples to determine the number of elements of each possible order in (Fp,+)and (F×p ,×). Here are some examples.
Some orders of elements in (F7,+) and (F×7 ,×)
n 0 1 2 3 4 5 6order under + 1 7 7 7 7 7 7
,n 1 2 3 4 5 6
order under × 1 3 6 3 6 2
Some orders of elements in (F11,+) and (F×11,×)
n 0 1 2 3 4 5 6 7 8 9 10order under + 1 11 11 11 11 11 11 11 11 11 11
n 1 2 3 4 5 6 7 8 9 10order under × 1 10 5 5 5 10 10 10 5 2
43
Some orders of elements in (F13,+) and (F×13,×)
n 0 1 2 3 4 5 6 7 8 9 10 11 12order under + 1 13 13 13 13 13 13 13 13 13 13 13 13
n 1 2 3 4 5 6 7 8 9 10 11 12order under × 1 12 3 6 4 12 12 4 3 6 12 2
Hopefully the pattern in the table for the operation + is clear. As an exercise, prove thatif p is prime, then the order (under plus) of an element 1 6 a 6 p − 1 is precisely equal top. However, under × the situation is clearly a bit more subtle. In these examples, it’s truethat there is an element of order p− 1 in each case.
10.3 F×p is cyclic!
As before, we denote the group of nonzero elements of Fp by F×p . We now state the rathersurprising fact:
Theorem 10.10. F×p is a finite cyclic group of order p− 1.
Definition 10.11. We call an element x ∈ F×p a primitive root if x is a generator for F×p .In other words, if x, x2, x3, . . . , xp−1 are all distinct numbers mod p. We may also say thatx is a primitive root mod p.
It is easy to see that an element x is primitive if and only if its order is equal to p− 1.For example, if p = 7 then we could try a few numbers:
〈1〉 = {1, 12, 13, . . . , } = {1}
〈2〉 = {2, 22, 23} = {1, 2, 4}〈3〉 = {3, 32, 33, 34, 35, 36} = {1, 2, 3, 4, 5, 6}
So 3 is a generator for the multiplicative group F×p when p = 7. However, the numbers 1and 2 failed to generate everything.
As the example above indicates, 3 is a primitive root mod 7. As another example, ifp = 23 then 5 is the smallest positive integer which is a primitive root. As we’ll see, thetheory of these roots can be quite mysterious. The following lemma will be useful:
Lemma 10.12. Let G be a group and g ∈ G. If for integers m,n, we have gm = 1 andgn = 1 then ggcd(m,n) = 1.
Proof. Note that since g−1 exists, it makes sense to talk about both positive at negativepowers of g. Thus since gcd(m,n) can be written as mx+ ny = gcd(m,n), we see that
agcd(m,n) = (am)x · (an)y = 1.
44
Lemma 10.13. Let G be a finite group, of cardinality N . For every g ∈ G the order of gdivides N .
Proof. gN = 1 by an application of the Lagrange theorem that the cardinality of a subgroupof G (in this case the cyclic subgroup generated by g) divides the cardinality of G. Letm denote the order of g, so that gm = 1. Suppose that m does not divide N . Thengcd(m,N) < m. But then by Lemma 10.12 ggcd(m,N) = 1. This is a contradiction since weassumed that m was the smallest positive integer k such that gk = 1.
Let N(d) denote the number of elements of order d in F×p . Since |F×p | = ϕ(p) = p− 1, byLemma 10.13 N(d) = 0 unless d | p− 1. Let’s go back to the table above with p = 13. Foreach d | p− 1 = 12 we see that we have
N(12) = 4, N(6) = 2, N(4) = 2, N(3) = 2, N(2) = 1, N(1) = 1 .
These values are exactly the same as the values of the Euler ϕ function!
Theorem 10.14. For any prime p and d ∈ N
N(d) =
{ϕ(d) if d | p− 1
0 otherwise.
Proof. We assume d | p− 1, and proceed in two steps. First we will show that N(d) 6 ϕ(d).Let’s do it! If N(d) = 0 there is nothing to prove, since ϕ(d) > 0. If N(d) > 0 there is
some element a ∈ F×p of order d. In other words, the elements
{a, a2, a3, . . . , ad = 1}
are all distinct in F×p . The equation xd = 1 ∈ F×p thus has exactly d roots, namelya, a2, . . . , ad. (Recall from Theorem 9.2 that a degree d polynomial can have at most droots). By Proposition 10.9 ak has order d/(k, d), so that ak has order d if and only if(k, d) = 1.
Thus we have shown that the elements of order d in F×p are precisely those elements ak
with (k, d) = 1. In other words, there are ϕ(d) of them. (Remark: We have shown that ifN(d) > 0 then N(d) = ϕ(d). This is nice, but unfortunately doesn’t help with the proofsince we use different means from here onwards).
We are now ready for the second step. Showing that N(d) = ϕ(d). We will use the factthat N(d) 6 ϕ(d). Notice that every element in F×p has some order. And there are p − 1elements. And the order of elements must divide p− 1. Thus
p− 1 =∑d|p−1
N(d)
And by Step 1, we have
p− 1 6∑d|p−1
ϕ(d)
But now by Theorem 10.2, we know that the right hand side is p−1. But this must mean thatthe inequality 6 is actually an equality. So this means that N(d) = ϕ(d) for all d | p−1.
45
Proof of Theorem 10.10. Since p is prime N(p − 1) = ϕ(p − 1) > 0, so that there exists aprimitive root x ∈ F×p , i.e. an element of order p − 1. Thus F×p is cyclic, with generatorx.
The special case d = p−1 of Theorem 10.14 gives that F×p has exactly N(p−1) = ϕ(p−1)primitive roots. Here are some examples:
• F7 has ϕ(6) = 2 primitive roots, namely 3,5.
• F11 has ϕ(10) = 4 primitive roots, namely 2,6,7,8.
• F13 has ϕ(12) = 4 primitive roots, namely 2,6,7,11
10.4 Taking nth roots in F×pTake an odd prime p and g a fixed primitive root modp. Then for any B ∈ F×p we define theindex (old-fashioned word) or discrete logarithm (current jargon) of B, written indB orlogpB, as the integer b ∈ {0, 1, . . . , p− 2} such that B = gb in Fp. Clearly the function logpdepends not only on p but also on the choice of the primitive root g.
Proposition 10.15. Given n ∈ N and B ∈ F×p , the equation Xn = B in F×p has a solutionX ∈ F×p iff gcd(n, p− 1) | logpB.
When gcd(n, p− 1) | logpB then the number of distinct solutions X of Xn = B in F×p isgcd(n, p− 1).
Proof. Write B = gb, X = gx, so that gnx = gb, giving nx ≡ b mod p− 1. Hence the numberof solutions is gcd(n, p− 1).
For large primes p, the problem of finding the discrete logarithm logpB of B appears tobe an intractable problem, called the Discrete Logarithm Problem. Many techniques inCryptography depend on this hypothesis. See e.g.,
http://en.wikipedia.org/wiki/Discrete logarithm
Main Points from Lecture 10:
• Definition and properties of ϕ(n)
• The multiplicative group of Fp is cyclic.
• Definition of primitive roots
11 Multiplicative Functions (26.10.2015)
Euler’s ϕ function is very useful, as we have seen. A large part of the reason why is becauseit is a multiplicative function. Before going on for a more detailed study of primitive roots,we study multiplicative functions in general.
46
11.1 Arithmetic functions - more about ϕ
Arithmetic functions are functions f : N→ N or Z or maybe C, usually having some arith-metic significance. An important subclass of such functions are the multiplicative functions:such an f is multiplicative if
f(nn′) = f(n)f(n′)
for all n, n′ ∈ N with n and n′ coprime (gcd(n, n′) = 1). By convention, f(1) = 1.
Proposition 11.1. If f is multiplicative and n1, . . . , nk are pairwise coprime (gcd(ni, nj) = 1for all i 6= j) then
f(n1n2 . . . nk) = f(n1)f(n2) . . . f(nk).
This is readily proved by induction.
Corollary 11.2. If n factorises into distinct prime powers as n = pe11 . . . pekk then
f(n) = f(pe11 ) . . . f(pekk ).
So multiplicative functions are completely determined by their values on prime powers.Some examples of multiplicative functions are
• The identity function: f(n) = n;
• The constant function f(n) = 1;
• The ‘1-detecting’ function ∆(n), equal to 1 at n = 1 and 0 elsewhere – obviouslymultiplicative;
• τ(n) =∑
d|n 1, the number of divisors of n;
• σ(n) =∑
d|n d, the sum of the divisors of n.
Proposition 11.3. The functions τ(n) and σ(n) are both multiplicative.
Example 11.4. Let’s check that σ(36) = σ(9 · 4) = σ(9)σ(4). The divisors of 36 are
1, 2, 3, 4, 6, 9, 12, 18, 36
their sum is 91. On the other hand the divisors of 9 and 4 are respectively
1, 3, 9, and 1, 2, 4
Hence σ(9) = 13 and σ(4) = 7. Luckily 13 · 7 = 91.A curious thing happened on the way to this result. Notice that 36 had nine divisors and
that 9 and 4 each had three apiece. If we were gamblers, we might wager that this is nocoincidence. We might wager that any divisor of 36 is a product of a divisor of 9 and adivisor of 4, and that this could be done in a unique way. Stop here and think through whythis should be true.
47
Lemma 11.5. If a and b are relatively prime then any factor of ab can be written as aproduct of a factor of a times a factor of b in a unique way. Hence the number of divisorsof ab is equal to the number of divisors of a times the number of divisors of b. In terms ofthe function τ we have proven that τ(n) is a multiplicative function.
Notice that the Lemma is not true is if a and b fail to be relatively prime. For instanceif a = 4, b = 12 then the factor d = 4 of 48 can be written in many ways as a product offactors of a and b: 4 = 4 · 1 = 2 · 2 = 1 · 4. The point is that if a and b are relatively prime,there’s only one way to do this!
The proof of this lemma is pretty straightforward and is left as an exercise - think aboutthe prime factors that divide a and b and those that divide ab.
To show that σ is multiplicative, we will prove a stronger result that puts σ and τ in abroader context. This is the operation “hat”.
Definition 11.6. Given an arithmetic function f , define its ‘sum over divisors’ function
f(n) =∑d|n
f(d) .
This is sometimes also called the summatory function of f .
Notice that if f is a function, then f is another function, and one that depends on f .For example f(12) = f(1) + f(2) + f(3) + f(4) + f(6) + f(12), which clearly depends on
f .For instance if f(n) = n then
f(n) =∑d|n
f(d) =∑d|n
d = the sum of all divisors of n = σ(n).
We could write this as f = σ. Or since f(n) = n, we could write n = σ. During class,
someone asked why we didn’t write d = σ. This is a good question, and one to think about.The answer is just that the functions f(d) = d and the function f(n) = n are the samefunction. In some circles they have even a third name - the identity function. It’s good tobe able to keep these things straight.
For further practice, check that 1 = τ . Remember, the function f(n) = 1 is NOT theidentity function, it’s the constant function that sends everything to 1.
The following proposition shows the important fact that if f is a multiplicative function,then so is f .
Proposition 11.7. Let F (n) = f(n). If f is multiplicative, then F is also multiplicative.
Proof. The relationship between F and f is that F (n) adds up the values of f(d) on alldivisors d of n. Now suppose that n = ab with a and b coprime. We want to show thatF (ab) = F (a)F (b), given that f(ab) = f(a)f(b). Notice:
F (ab) =∑d|ab
f(d)
48
F (a)F (b) = (∑d|a
f(d))(∑e|b
f(e)) (3)
We want to show these two are equal. But by the Lemma, we know that every divisor d ofab can be written uniquely as a product of divisors of a and b. Hence
F (ab) =∑d|ae|b
f(de) =∑d|ae|b
f(d)f(e) (4)
where the last equality holds since f is multiplicative. Now it is clear that this is equal toF (a)F (b) because each term of the right hand side of (4) is equal to a term of (3) and viceversa.
Hence we have shown that f is multiplicative whenever f is. Thus we know that σ and τare multiplicative since they are the hats of the (obviously) multiplicative functions f(n) = nand f(n) = 1.
Remark 11.8. It’s fun sometimes to see what properties multiplicative functions have to haveby default. For instance, notice that from the definition we see that f(1) = f(1·1) = f(1)f(1).So (f(1))2 = f(1). This only has two possible solutions in Z so f(1) is either 1 or 0. Iff(1) = 0 then we can prove that f(n) = f(n ·1) = f(n)f(1) = 0 for all n. So in other words,we have shown that if f is not the zero function, then f(1) = 1.
To close our tour of multiplicative functions, let’s study our friend ϕ, defined by
ϕ(n) = the number of a such that 1 6 a 6 n and greatest common divisor (a, n) = 1 .
As a warmup, let’s compute!
Proposition 11.9. If p is prime and k is a positive integer then ϕ(pk) = pk−pk−1 = pk(1−1p).
In particular ϕ(p) = p− 1.
Proof. There are pk numbers between 1 and pk. Of these, the ones that are relatively primeto pk are the ones who are NOT divisible by p. There are pk−1 multiples of p in this range,hence
ϕ(pk) = #{1, 2, . . . , pk} −#{p, 2p, 3p, . . . , pk} = pk − pk−1 .
Theorem 11.10. Euler’s ϕ function is multiplicative.
Notice that this theorem shows that if n = pe11 · · · penn then ϕ(n) = ϕ(pe11 ) · · ·ϕ(pekn ). Eachfactor is easy to compute by the Proposition above. In fact, since ϕ(pe) = pe(1− 1
p) we see
that
ϕ(n) = pe11
(1− 1
p1
)· · · pekk
(1− 1
pk
)= n
∏p|n
(1− 1
p
)which proves:
49
Corollary 11.11. If n is an integer, then
ϕ(n) = n∏p|n
(1− 1
p
).
Remark 11.12. Notice that this is a quite a nice formula, but in practice it’s probably easiestto just remember the formula ϕ(pk) = pk − pk−1 and use this to compute ϕ.
Example 11.13.
ϕ(300) = ϕ(3)ϕ(4)ϕ(25) = (3− 1)(4− 2)(25− 5) = 2 · 2 · 20.
Proof of Theorem. Take n and n′ coprime, and let
{i : 1 6 i 6 n, gcd(i, n) = 1} = {a1 < a2 < · · · < aϕ(n)},
the reduced residue classes modn. Similarly, let
{j : 1 6 j 6 n′, gcd(j, n′) = 1} = {a′1 < a′2 < · · · < a′ϕ(n′)}.
The idea is now that numbers that are relatively prime to nn′ are gotten by combining pairsof (ai, a
′j) using the Chinese Remainder Theorem in a unique way. Hence the number of
relatively prime integers to nn′ is equal to the product of ϕ(n)ϕ(n′).If x ∈ {1, 2, . . . , nn′} and gcd(x, nn′) = 1 then certainly gcd(x, n) = gcd(x, n′) = 1, so
thatx ≡ ai mod n x ≡ a′j mod n′ (5)
for some pair ai, a′j. Conversely, given such a pair ai, a
′j we can solve (5) using the CRT to
get a solution x ∈ {1, 2, . . . , nn′} with gcd(x, nn′) = 1. Thus we have a bijection betweensuch x and such pairs ai, a
′j. Hence
#{such x} = ϕ(nn′) = #{ai, a′j} = ϕ(n)ϕ(n′).
12 The multiplicative group of units mod n, Euler’s The-
orem and more about Primitive Roots (29.10.2015)
We begin with a definition:
Definition 12.1. A number 1 6 a 6 n which has an inverse x modulo n
ax ≡ 1(mod n)
is called a unit modulo n.
50
Proposition 12.2. (i) a is a unit mod n if and only if a, n are coprime.(ii) The set of units mod n forms a finite abelian group, the group of units mod n Z/nZ×under multiplication mod n.8 The group Z/nZ× is of order ϕ(n).
Proof. (i) a is coprime to n if and only if there exist x, y ∈ Z such that
ax+ ny = 1 ∈ Z .
Then x mod n is the inverse of a mod n.(ii) We have to show that the operation of multiplication is well-defined on the set of units.I.e. that the product of two units is a unit.9 This follows since the inverse of ab is the productof the inverses of a and b. By the definition of the Euler ϕ-function, there are precisely ϕ(n)residues a(mod n) coprime to n. We also should show that every element has an inverse (bydefinition), that 1 is in this set (obvious) and that the multiplication is associative (againobvious). In short there wasn’t much to see in this proof. Better ask for our money back.
For some integers n the group Z/nZ× is cyclic, while for other n the group it is not cyclic(although always a product of cyclic groups).
Here is the definition of a primitive root (10.11) again.
Definition 12.3. We say that a is a primitive root modulo n if (a, n) = 1 and thefollowing ϕ(n) numbers
{a, a2, a3, . . . , aϕ(n)}
are distinct modulo n, i.e. if Z/nZ× is cyclic, with generator a. In other words, a has(maximal) order equal to ϕ(n). In this case we say that n has a primitive root.
Like so much else in number theory, primitive roots were first studied by Gauss, in theearly 19th century. The Wikipedia article on primitive rootshttps://en.wikipedia.org/wiki/Primitive root modulo nand the multiplicative group of unitshttps://en.wikipedia.org/wiki/Multiplicative group of integers modulo nare very informative!
Example 12.4. (i) For a prime p the group of units Z/pZ× = F×p = {1, 2, . . . , p − 1} is acyclic group of order ϕ(p) = p− 1 by Theorem 10.10, with ϕ(p− 1) generators (= primitiveroots).(ii) Consider Z/4Z = {0, 1, 2, 3}, the integers modulo 4. The units are the numbers relativelyprime to 4, which are
Z/4Z× = {1, 3}8There are many notations for this group. Some people write Z/nZ×. Others use U(Zn) or U(Z/nZ).
What’s important is to remember that this group is not all of the numbers from 1 to n, but only thosenumbers that are coprime to n.
9Some of you might call this “showing that the set is closed under multiplication”
51
This is a cyclic group of order two, and the element 3 indeed has order ϕ(4) = 2, so 3 is aprimitive root for 4.(iii) Consider Z/8Z = {0, 1, 2, 3, 4, 5, 6, 7}, the integers modulo 8, with units
Z/8Z× = {1, 3, 5, 7}
a group of order ϕ(8) = 4. However, the 3 non-identity elements 3, 5, 7 all have order 2,forming the Klein 4-group V , the non-cyclic finite group of order 4:https://en.wikipedia.org/wiki/Klein four-group.Thus there are no primitive roots for 8. But you can hear the Klein group sing:https://www.youtube.com/watch?v=BipvGD-LCjU.
Given an integer n > 1 and a residue a(mod n) it is easy to check if a is a unit mod n:just apply the Euclidean algorithm to calculate the greatest common divisor (a, n) and see ifit is 1. (For a prime power n = pk there is an even easier procedure: just check if the reductiona(mod p) is non-zero.) It is also easy to check if n has primitive roots - see Theorem 12.8below. But there is no general formula for deciding which units a ∈ Z/nZ× are primitiveroots of n: you just have to calculate the order of a ∈ Z/nZ×, i.e. work out the first integerm = 1, 2, . . . such that am ≡ 1(mod n), and see if it is m = ϕ(n). Of course, some waysof doing this are more efficient than others. For low values of n there is nothing for it butto work out a, a2, . . . , am ≡ 1 mod n and see if m = ϕ(n) - even in the prime power casen = pk.
Here is a table of results for n 6 12:
n ϕ(n) Z/nZ× primitive roots2 1 {1} {1}3 2 {1, 2} {2}4 2 {1, 3} {3}5 4 {1, 2, 3, 4} {2, 3}6 2 {1, 5} {5}7 6 {1, 2, 3, 4, 5, 6} {3, 5}8 4 {1, 3, 5, 7} NONE9 6 {1, 2, 4, 5, 7, 8} {2, 5}10 4 {1, 3, 7, 9} {3, 7}11 10 {1, 2, 3, 4, 5, 6, 7, 8, 9, 10} {2, 6, 7, 8}12 4 {1, 5, 7, 11} NONE
Theorem 12.5. If n = m1m2 . . .mk is an expression of n as a product of powers of distinctprimes mi = peii (1 6 i 6 k) then the group of units mod n is the product
Z/nZ× = Z/m1Z× × Z/m2Z× × · · · × Z/mkZ× .
Proof. As in the proof of the Chinese Remainder Theorem 6.3 we have that (mi,mj) = 1for i 6= j, and define m∗i to be the inverse modmi of m1 . . .mi−1mi+1 . . .mk, so that
m1 . . .mi−1m∗imi+1 . . .mk ≡ 1 mod mi.
52
Then a ∈ Z/nZ is a unit mod n if and only if each a ∈ Z/miZ is a unit mod mi, and thefunction
Z/nZ× → Z/m1Z× × Z/m2Z× × · · · × Z/mkZ× ;
a mod n 7→ (a mod m1, a mod m2, . . . , a mod mk)
is an isomorphism of groups (= bijection which preserves the group multiplication) withinverse
Z/m1Z× × Z/m2Z× × · · · × Z/mkZ× → Z/nZ× ;
(a1, a2, . . . , ak) 7→k∑i=1
aim1m2 . . .mi−1m∗imi+1 . . .mk .
Recalling that if you have a finite group G of order |G| then every element g in the groupsatisfies g|G| = e where e is the identity, we obtain
Theorem 12.6 (Euler’s Theorem). If n is a positive integer then aϕ(n) ≡ 1 mod n for everya with (a, n) = 1.
Proof. If (a, n) = 1 then a is a unit modulo n. Hence it is in the group G of units modulon. But this means that it satisfies a|G| = 1 in this group. Since |G| = ϕ(n) we are done.
Remark 12.7. Euler’s Theorem is a generalization of Fermat’s Little Theorem, since ϕ(p) =p− 1.
An Application: We can use Euler’s Theorem to find inverses: Indeed, we know thata·aϕ(n)−1 = 1 mod n so that aϕ(n)−1 is the inverse of a modulo n. For instance if ax ≡ b mod nhas a solution that it must be
x = aϕ(n)−1b mod n.
You might wonder: Modulo p there was always a primitive root - i.e. an element of orderp − 1 (the biggest possible order). Must there always be an element of order ϕ(n) modulon? The answer to this question is NO, but in some cases the answer is YES.
The following theorem states exactly which integers n have primitive roots.
Theorem 12.8. A positive integer n has a primitive root if and only if n is one of thefollowing numbers
2, 4, pk, 2 · pk
where p is an odd prime and k is a positive integer.
Proof. Section 9.3 of Rosen, posted on LEARN.
We have seen already that 4 has a primitive root, and have also shown that p has aprimitive root for all p. What remains is to show that that in the remaining cases pk (k > 1)and 2pk there is indeed a primitive root, and that also all other numbers lack a primitiveroot. The statement of this theorem is important to know, though. As is the following:
53
Theorem 12.9. If n has a primitive root then it has ϕ(ϕ(n)) primitive roots.
Proof. The double ϕ is NOT a typo, and although this looks a bit intimidating, the proof isactually really calming. Indeed, it’s just three baby steps:
First, the group of units modulo n is a group G with |G| = ϕ(n).Second, if n has a primitive root, then this means that G is cyclic.Third, if G is a cyclic group of order m then G has ϕ(m) many generators. (Proved in
Lemma 12.10 below).The result now follows.
Lemma 12.10. If G is a cyclic group of order m then G has ϕ(m) many generators.
We won’t present the proof in class, but because it was on the homework, I’m includinga different solution here:
Proof. This was essentially one of your homework problems, but here’s the idea. If G iscyclic, then that means that G = 〈g〉 is generated by some element g. Hence every elementof the group is a power of g:
G = {g, g2, . . . , gm}Now we just have to figure out how many elements have order m. Well gk has order m ifand only if m is the smallest positive integer such that (gk)m = 1. (The word “smallest” isthe important word here, we already know that (gk)m = 1, since EVERY element in a groupsatisfying xm = 1.)
Now suppose that n is the smallest power such that (gk)n = 1. Then (gk)n = gkn andgkn = 1 if and only if kn ≡ 0 mod m. Hence we have that kn is a multiple of m, and n isthe smallest positive integer n with this property. Now if (k,m) = d then
(xk)m/d = (xm)k/d = (xm)an integer = 1
so certainly n < m/d. Hence if n = m then d = 1 and m and k are relatively prime.Conversely, it’s easy to check that if k and m are relatively prime that kn is a multiple of mif and only if n is a multiple of m.
This proof had a lot of steps, and the technicalities obscure the fact that this result issimple, nice, and really intuitive. If this proof doesn’t feel like a part of your repertoire, thentry a few examples:
(If G is cyclic of order 20, then G = {g, g2, . . . , g20}. Work out the order of the elementsg10, g2, g3, g5, g7 and look for patterns. Try to write your own proof of the above, etc.)
Main Points from Lecture 12:
• Definition and basic properties of the group Z/nZ× of units mod n
• Euler’s Theorem
• Primitive roots mod n
54
13 Mersenne primes and perfect numbers (2.11.2015)
For any number p define the Mersenne number
Mp = 2p − 1 .
If Mp is prime then p is prime (this was Problem 6 on Homework 1), and Mp is calleda Mersenne prime. Note that there are primes p which are not Mersenne, e.g. p =11. Mersenne primes are called after the 17th century French mathematician and theolo-gian Marin Mersenne. The Wikipedia pages https://en.wikipedia.org/wiki/Marin Mersenne,https://en.wikipedia.org/wiki/Mersenne prime are very informative!
A positive integer n is called perfect if it is the sum of its proper (i.e., excluding n itself)divisors. There is a surprising connection between perfect even numbers and the Mersenneprimes Mp = 2p − 1. The Euclid-Euler theorem proved below gives the equivalence of thefollowing conditions for an even number n:
• n is perfect,
• n = Mp(Mp + 1)/2 for a Mersenne prime p,
• 8n+ 1 is a square and Mp = (√
8n+ 1− 1)/2 is a Mersenne prime.
The first four Mersenne primes
M2 = 3 , M3 = 7 , M5 = 31 , M7 = 127
and the first four perfect numbers have been known since ancient times:
6 = M2(M2 + 1)/2 = 1 + 2 + 3 ,
28 = M3(M3 + 1)/2 = 1 + 2 + 4 + 7 + 14 ,
496 = M5(M5 + 1)/2 = 1 + 2 + 4 + 8 + 16 + 31 + 62 + 124 + 248 ,
8128 = M7(M7 + 1)/2 = 1 + 2 + 4 + 8 + 16 + 32 + 64 + 127 + 254 + 508 + 1016 + 2032 + 4064 .
Recall the multiplicative function
σ(n) =∑d|n
d .
A number n is perfect if and only if σ(n) = 2n.
Theorem 13.1. (Euclid and Euler) An even number n is perfect if and only if it is of theform n = 2p−1(2p − 1) = Mp(Mp + 1)/2 for some Mersenne prime Mp = 2p − 1.
55
Proof. We first prove that if Mp is a Mersenne prime then n = 2p−1(2p − 1) (with 2p − 1 isprime) is perfect. Since σ is multiplicative, we have that
σ(n) = σ(2p−1)σ(2p − 1)
withσ(2p−1) = 1 + 2 + 2+ · · ·+ 2p−1 = 2p − 1 ,
σ(q) = q + 1 for q prime.
Thusσ(n) = (2p − 1)(2p) = 2n .
This was Euclid’s bit.Conversely, suppose that n is an even perfect number. Then we can write n = 2k ·t where
t is an odd number. Then perfection implies that
2k+1t = 2n = σ(n) = (2k+1 − 1)σ(t) (6)
This implies that 2k+1 divides σ(t) (since the other factor on the right is odd). Thus we canwrite σ(t) = 2k+1s. Our goal is to show that k + 1 = p is prime and s = 1. Now cancelingwe see that
t = (2k+1 − 1)s
If s > 1 then t clearly has 1, s, t as factors. Thus
σ(t) > 1 + t+ s = 1 + (2k+1s− s) + s = 1 + (2k+1s)
but this is a contradiction, because we assume that σ(t) = 2k+1s.Hence s = 1 and we have that σ(t) = 2k+1, and Equation (6) says that
t = (2k+1 − 1).
This information about t and σ(t) implies that t must in fact be prime, as required : t = Mp
is a Mersenne prime. This was Euler’s bit.
Later, when we discuss primality testing we will see that there is a relatively efficientalgorithm to check whether a number of the form Mp = 2p− 1 is prime. (The Lucas-Lehmertest) A good source of information on Mersenne numbers ishttp://primes.utm.edu/mersenne/index.html
It is an unsolved problem as to whether there are any odd perfect numbers. See e.g.,http://en.wikipedia.org/wiki/Perfect number for lots on this problem.
GIMPS, the Great Internet Mersenne Prime Searchhttps://en.wikipedia.org/wiki/Great Internet Mersenne Prime Search,http://www.mersenne.org/primes/?press=M57885161is a collective effort to hunt down Mersenne primes. Here is a listing of the 48 known (as ofSeptember 2015) primes p such that Mp = 2p − 1 is a Mersenne prime2, 3, 5, 7, 13, 17, 19, 31, 61, 89, 107, 127, 521, 607, 1279, 2203, 2281, 3217, 4253, 4423, 9689,
56
9941, 11213, 19937, 21701, 23209, 44497, 86243, 110503, 132049, 216091, 756839, 859433,1257787, 1398269, 2976221, 3021377, 6972593, 13466917, 20996011, 24036583, 25964951,30402457, 32582657https://oeis.org/A000043.The largest known Mersenne prime is in fact the largest known prime
M32582657 = 232582657 − 1
with 9,808,358 digits. It is tantalizingly close to claiming the $100,000 award offered byan anonymous donor for finding a 10 million digit prime number. Incidentally, the OnlineEncyclopedia of Integer Sequenceshttps://oeis.orgis a marvellous compendium of integer sequences of all kinds!
Main Points from Lecture 13:
• Definition of Mersenne prime Mp
• Definition of perfect number
• The Euclid-Euler Theorem
14 The Mobius function µ(n), Mobius inversion and
the convolution f ∗ g (5.11.2015)
Recall from Chapter 11 that an arithmetic function f : N → N (or to Z or to C) is multi-plicative if
f(mn) = f(m)f(n) for coprime integers m,n > 1
and f(1) = 1. Recall also the summatory function of f
f(n) =∑d|n
f(d) .
In Proposition 11.7 it was proved that if f(n) is multiplicative, then so is f(n). The classic
formula of Mobius Inversion recovers the function f(n) from the function f(n) (withoutassuming multiplicativity) using the Mobius function µ(n). The main results of this Chapter
is that f(n) is multiplicative if and only if f(n) is multiplicative. (One way round was already
proved in Chapter 11). The relationship between f(n) and f(n) is seen to be a special caseof the convolution (f ∗ g)(n) of arithmetic functions f(n), g(n). The convolution will give asystematic construction of multiplicative functions.
57
14.1 The Mobius function µ(n)
Let’s start with a few examples - following the notation of Rosen, we will let F (n) = f(n).
F (1) = f(1)
F (2) = f(1) + f(2)
F (3) = f(1) + f(3)
F (4) = f(1) + f(2) + f(4)
F (5) = f(1) + f(5)
F (6) = f(1) + f(2) + f(3) + f(6)
If we solve these equations for f(n) in terms of F (n) we see
f(1) = F (1)
f(2) = F (2)− F (1)
f(3) = F (3)− F (1)
f(4) = F (4)− F (2)
f(5) = F (5)− F (1)
f(6) = F (6)− F (2)− F (3) + F (1).
Experimentally it seems that
f(n) =∑d|n
µn,dF (d)
where µn,d seems to be either 0, 1 or −1. We will prove that there exists a multiplicativefunction µ(n) such that
f(n) =∑d|n
µ(n/d)F (d) .
This allows us to invert the process of passing to a summatory function f 7→ f .
Definition 14.1. The Mobius function µ(n) is defined as
µ(n) =
{0 if p2 | n for some prime p;
(−1)k if n = p1p2 . . . pk for distinct primes pi.
In particular, µ(1) = 1 and µ(p) = −1 for a prime p. It is immediate from the definitionthat µ is multiplicative.
Proposition 14.2. The summatory function of µ is the 1-detecting function ∆(n)
µ(n) = ∆(n) =
{1 if n = 1
0 if n 6= 1 .
58
Proof. We need to check that∑
k|n µ(k) = ∆(n). Recall that ∆(n) is one if n = 1 and zero
otherwise. Since µ is multiplicative, it suffices to compute∑
k|n µ(k) when n = pe is a powerof a prime. If e > 0 then∑
k|peµ(k) = µ(1) + µ(p) + · · ·µ(pe) = 1− 1 = 0.
If e = 0 then of course µ(1) = µ(1) = 1. Hence µ(n) = 0 unless n = 1, and we are done.
Integers with µ(n) = ±1 are called squarefree.The Mobius function arises in many kinds of inversion formulae. The fundamental one
is the following.
Proposition 14.3. (Mobius inversion) Let f(n) be an arithmetic function, and let
F (n) = f(n) =∑d|n
f(d) (n ∈ N) .
Then for all n ∈ N we can recover f(n) from F (n) by
f(n) =∑d|n
µ(n/d)F (d) .
Proof. We will simplify∑d|n
µ(n/d)F (d) =∑d|n
µ(n/d)∑k|d
f(k) (n ∈ N)
by interchanging the order of summation to make∑
k|n the outer sum. First note that we
can swap d and n/d in the sum:∑d|nµ(n/d)
∑k|df(k) =
∑e|n
(µ(e)∑
k|(n/e)f(k))
=∑e|n
(∑
k|(n/e)µ(e) · f(k)) .
Notice that the pairs of integers (e, k) such that e | n and k | n/e is the same as the set ofpairs is the same as those with k | n and e | (n/k). So∑
e|n(∑
k|(n/e)µ(e) · f(k)) =
∑k|n
(∑
e|(n/k)µ(e)f(k))
=∑k|nf(k)
( ∑e|(n/k)
µ(e)
).
The inner bracket is µ(n/k) which is nonzero if and only if n = k. In this case, µ(1) = 1.Hence we have that the sum above reduces to∑
k|n
f(k)
∑e|(n/k)
µ(e)
= f(n) · 1 = f(n).
59
14.2 Some Examples of Using Mobius Inversion
There are two main uses of Mobius Inversion. The first is that we can just apply the formulato immediately obtain identities which might be difficult to obtain directly.
Example 14.4. By definition,
σ(n) = n =∑d|n
d .
Mobius inversion gives that
n =∑d|n
µ(n/d)σ(d) .
Example 14.5. By definition
τ(n) = 1(n) =∑d|n
1 .
Mobius inversion gives that
1 =∑d|n
µ(n/d)τ(d) .
Proposition 14.6. (i) The summatory function of the Euler ϕ-function
ϕ(n) =∑
16a6n,(a,n)=1
1
isϕ(n) =
∑d|n
ϕ(d) = n .
(ii) Mobius inversion expresses ϕ(n) as
ϕ(n) =∑d|n
µ(n/d)d
Proof. (i) Every integer m with 1 6 m 6 n has a greatest common divisor (m,n). For eachdivisor d | n there are exactly ϕ(n/d) integers m with 1 6 m 6 n and (m,n) = d, namelya1d, a2d, . . . , aϕ(n/d)d with a1, a2, . . . , aϕ(n/d) the integers a with 1 6 a 6 n/d coprime to n/d.The summatory function is
ϕ(n) =∑d|nϕ(d)
=∑d|nϕ(n/d) (since d | n if and only if n/d | n)
=∑d|n
∑16a6n/d,(a,n/d)=1
1
= n .
(ii) Immediate from (i).
60
Numerical example ϕ(12) = 4 because there are exactly 4 numbers 1 6 a 6 12 coprimeto 12, namely a = 1, 5, 7, 11. On the other hand, there are 6 divisors: 1,2,3,4,6,12, so
ϕ(12) =∑d|12
µ(12/d)d
= µ(12/1)1 + µ(12/2)2 + µ(12/3)3 + µ(12/4)4 + µ(12/6)6 + µ(12/12)12
= 0 + 2 + 0− 4− 6 + 12 = 4 .
The second main use of Mobius inversion is the following converse of Proposition 11.7:
Proposition 14.7. If an arithmetic function f(n) is such that F (n) = f(n) is multiplicative,then f(n) is multiplicative.
Proof. Suppose that m1,m2 are coprime integers > 1. If d is a divisor of m1m2 then d = d1d2where d1 | m1, d2 | m2 with d1, d2 coprime. Using the Mobius inversion formula and the factthat µ and F are multiplicative we see that
f(m1m2) =∑
d|m1m2
µ(d)F (m1m2/d)
=∑
d1|m1,d2|m2
µ(d1d2)F (m1/d1)F (m2/d2)
=
( ∑d1|m1
µ(d1)F (m1/d1)
)( ∑d2|m2
µ(d2)F (m2/d2)
)= f(m1)f(m2) .
Conclusion: f(n) if and only if f(n) is multiplicative.
Remark 14.8. This gives another proof that ϕ is multiplicative, say from the fact that ϕ = n(Proposition 14.6 (i)) is multiplicative.
14.3 Convolution
It is not accident that an arithmetic function f(n) is multiplicative if and only if the sum-
matory function f(n) is multiplicative!
Definition 14.9. The convolution of arithmetic functions f(n), g(n) is the arithmeticfunction
(f ∗ g)(n) =∑d|n
f(d)g(n/d) .
(This is the number theory analogue of the convolution of continuous functions f(x),
g(x), defined by (f ∗ g)(x) =∞∫−∞
f(y)g(x − y)dy, which plays such an important role in
functional analysis, e.g. Fourier analysis.)
61
Example 14.10. We have already had several examples of convolutions:(i) By Example 14.4 σ = n ∗ 1, µ ∗ σ = n.(ii) By Example 14.5 τ = 1 ∗ 1, µ ∗ τ = 1.(iii) By Proposition 14.6 n = ϕ ∗ 1, µ ∗ n = ϕ.Can you spot a common feature of (i), (ii) and (iii)? Yes, if g = f ∗ 1 then µ ∗ g = f , and
in fact g = f .
Basic properties: the convolution is commutative and associative; for any arithmeticfunctions f(n), g(n), h(n)
f ∗ g = g ∗ f , (f ∗ g) ∗ h = f ∗ (g ∗ h) .
(Why?) We have met the unit before:
Example 14.11. Convolution with the 1-detecting ∆-function ∆(n) =
{1 if n = 1
0 if n 6= 1does
not change anything:f ∗∆ = f .
Proposition 14.12. If f(n) and g(n) are multiplicative functions then so is their convolution(f ∗ g)(n).
Proof. As in the proof of Proposition 14.7 we have that for coprime integers m1,m2 > 1
(f ∗ g)(m1m2) =∑
d1|m1,d2|m2
f(d1d2)g(m1m2/d1d2)
=
( ∑d1|m1
f(d1)g(m1/d1)
)( ∑d2|m2
f(d2)g(m2/d2)
)= (f ∗ g)(m1)(f ∗ g)(m2) .
Remark 14.13. (i) The summatory function of an arithmetic function f(n) is the convo-lution with the constant function 1(n) = 1
f = f ∗ 1 .
Since 1 is multiplicative Proposition 14.12 recovers Proposition 11.7, that if f is multiplicativethen so is f .(ii) By Proposition 14.2 the convolution of the constant function 1 and the Mobius functionµ(n) is the 1-detecting function
1 ∗ µ = ∆ .
(iii) From (i) and (ii) and the associativity of the convolution we have a new proof of theMobius inversion Proposition 14.3, that we can recover any arithmetic function f(n) from
its summatory function f(n) as the convolution with the Mobius function µ(n)
f = f ∗∆ = f ∗ (1 ∗ µ) = (f ∗ 1) ∗ µ = f ∗ µ .
62
Since µ is multiplicative Proposition 14.12 recovers Proposition 14.7, that if f is multiplica-tive then so is f .
The Wikipedia pageshttps://en.m.wikipedia.org/wiki/Multiplicative functionhttps://en.m.wikipedia.org/wiki/Mobius inversion formulaare useful introductions.
The book Number Theory in Science and Communication With Applications in Cryptog-raphy, Physics, Digital Information, Computing, and Self-Similarity by Manfred Schroder isa wonderful account of the applications of number theory to the real world!
Main Points from Lecture 14:
• Definition of Mobius function µ(n)
• Mobius inversion
• Convolution
15 Quadratic Residues (9.11.2015)
15.1 Quadratic residues and nonresidues
Given a quadratic equation with real (or rather complex) coefficients
x2 + ax+ b = 0
it is possible to “complete the square”
(x+ a/2)2 = a2/4− b
and solve by taking square roots of the discriminant
x+ a/2 = ±√a2/4− b .
What about quadratic equations modulo n, of the form
x2 + ax+ b ≡ 0(mod n)
for a, b(mod n)? If n = 2m− 1 is an odd integer, then 2m ≡ 1(mod n) and
(x+ am)2 = a2m2 − b mod n .
To proceed further need to know if the discriminant r = a2m2 − b is a square modn. Ifn = 2m− 1 is an odd prime this can be decided as follows.
Let then p be an odd prime, and r ∈ F×p . If the equation x2 = r has a solution x ∈ F×pthen r is called a quadratic residue modp. If there is no such solution x, then r is calleda quadratic nonresidue modp.
63
Proposition 15.1. Take p an odd prime, and g a primitive root modp. Then the quadraticresidues modp are the even powers of g, while the quadratic nonresidues modp are the oddpowers of g. (So there are p−1
2of each.)
Proof. Suppose r ∈ F×p , with r = gk say. If k is even then r = (gk/2)2, so that r is a quadraticresidue modp. Conversely, if x = g`, x2 = r, then g2`−k = 1, so that 2`− k is a multiple ofp− 1, which is even. So k is even.
15.2 The Legendre symbol
Let p be an odd prime, and r ∈ F×p . Then the Legendre symbol is defined as(r
p
)=
{1 if r is a quadratic residue mod p;
−1 if r is a quadratic nonresidue mod p.
Note that, on putting r = gk for a primitive root g we see that(gk
p
)= (−1)k =
{1 if k is even;
−1 if k is odd.
Next, recall Fermat’s Theorem: that rp−1 = 1 for all r ∈ F×p . This is simply a consequenceof F×p being a group of size (order) p−1. (We know that g#G = 1 for each g in a finite groupG.)
Proposition 15.2 (Euler’s Criterion). For p an odd prime and r ∈ F×p we have in F×p that
(r
p
)= r
(p− 1)
2 ∈ {+1,−1} . (7)
Proof. If r = gk then for k even
rp−12 = gk
p−12 = (gp−1)k/2 = 1k/2 = 1,
while if k is odd, k p−12
is not a multiple of p− 1, so rp−12 6= 1. However, rp−1 = 1 by Fermat,
so rp−12 = ±1 and hence r
p−12 = −1. So, by Proposition 15.1, we have (7), as required.
Theorem 15.3. In particular (r = −1), for p an odd prime, we have
(−1
p
)= (−1)
p− 1
2 =
{1, if p ≡ 1 mod 4
−1, if p ≡ −1 mod 4.
Lemma 15.4. Let p be an odd prime, and a, b be integers not divisible by p. We have
64
1. a ≡ b mod p implies that
(a
p
)=
(b
p
);
2.
(ab
p
)=
(a
p
)(b
p
);
3.
(a2
p
)= 1,
(a2b
p
)=
(b
p
).
Proof. Let g be a primitive root modp. Then
(gk
p
)= (−1)k, from which the results follow
easily.
Example 15.5. Determine whether or not 90 is a square mod 11.
Solution: We are asked to compute
(90
11
)By the Lemma above we see that
(90
11
)=
(9
11
)(10
11
)= 1 ·
(−1
11
).
(Since 9 is clearly a square). Now by the Theorem, we know that −1 is a quadratic residue ifand only if p is congruent to 1 mod 4. Since 11 ≡ 3 mod 4 we see that −1 is not a quadraticresidue. Thus (
90
11
)= −1
and 90 is not a quadratic residue.
To some extent, Euler’s criterion allows us to determine whether or not a is a quadraticresidue. However, since it involves taking a large power, it is not clear how effective this
is. At the same time, the Lemma above shows that to compute Legendre symbol
(a
p
), it
suffices to consider only the prime factors q of a and compute
(q
p
). Since we can reduce
mod p, we can assume that q < p. From this perspective, it is natural to ask whether or
not there is some relationship between
(q
p
)and
(p
q
). The answer is a resounding Yes and
is one of the most celebrated results of number theory. In the next section we present thistheorem of Quadratic Reciprocity and a sketch of the proof.
Main Points from Lecture 15:
• Quadratic residues
• The Legendre symbol
• Euler’s criterion
65
16 Quadratic Reciprocity (12.11.2015)
16.1 Introduction
Recall that the Legendre symbol
(a
p
)is defined for an odd prime p and integer a coprime
to p as (a
p
)=
{1 if a is a quadratic residue mod p;
−1 otherwise;
The Law of Quadratic Reciprocity (stated below) decides if the equation x2 ≡ a( mod p) has
a solution x( mod p) by allowing the calculation of
(a
p
). But to actually find a solution still
need to choose a primitive root g ∈ F×p , and write a ≡ gk(mod p). Then
(a
p
)= (−1)k, and
there is a solution if and only if k is even, in which case x ≡ gk/2(mod p) is a solution. Forn, a ∈ N the Law of Quadratic Reciprocity can be used to study the prime factors p | n2−a.
Recall too that for a, b coprime to p(ab
p
)=
(a
p
)(b
p
)(easily proved by writing a, b as powers of a primitive root), and that, by Euler’s Crite-rion(Proposition 15.2),(
−1
p
)= (−1)
p− 1
2 =
{1, if p ≡ 1 mod 4
−1, if p ≡ −1 mod 4.
Theorem 16.1 ( Law of Quadratic Reciprocity (Legendre, Gauss)). For distinct odd primesp and q we have (
p
q
)(q
p
)= (−1)
p− 1
2·q − 1
2 .
(Thus
(p
q
)=
(q
p
)unless p and q are both ≡ −1 mod 4, in which case
(p
q
)= −
(q
p
).)
There are now 246 recorded proofs of this (not all different), including six by Gauss – seehttp://www.rzuser.uni-heidelberg.de/∼hb3/fchrono.htmlWe’ll give one of Gauss’s proofs, using
Lemma 16.2 ( Gauss’s Lemma). For an odd prime p, put p′ = p−12
, and let a be an integercoprime to p. Consider the sequence
a, 2a, 3a, ..., p′a,
reduced mod p to lie in (−p2, p2). Then
(a
p
)= (−1)ν, where ν is the number of negative
numbers in this sequence.
66
Proof. Now all of a, 2a, 3a, ..., p′a are ≡ modp to one of ±1,±2, . . . ,±p′. Further,
• no two are equal, as ia ≡ ja mod p⇒ i ≡ j mod p;
• none is minus another, as ia ≡ −ja mod p⇒ i+ j ≡ 0 mod p.
So they must be ±1,±2, . . . ,±p′, with each of 1, 2, . . . , p′ occurring with a definite sign.Hence
a · 2a · 3a · . . . · p′a ≡ (±1) · (±2) · . . . · (±p′) mod p,
givingap′(p′)! ≡ (−1)ν(p′)! mod p,
and so, as (p′)! is coprime to p, that
ap′ ≡ (−1)ν mod p.
Finally, using Euler’s criterion (Prop. 15.2), we have(a
p
)≡ ap
′ ≡ (−1)ν mod p.
Hence
(a
p
)= (−1)ν .
We can use Gauss’s Lemma to evaluate
(2
p
).
Proposition 16.3. For p an odd prime we have
(2
p
)= (−1)
p2 − 1
8 .
(This is equal to 1 when p ≡ ±1 mod 8, and to −1 when p ≡ ±3 mod 8.)
Proof. There are four similar cases, depending on p mod 8. We give the details for p ≡3 mod 8, p = 8`+ 3 say. Then p′ = 4`+ 1, and, taking a = 2 in Gauss’s Lemma, we see thatfor the sequence
2, 4, 6, . . . , 4`, 4`+ 2, . . . , 8`+ 2
that this becomes2, 4, 6, . . . , 4`,−(4`+ 1),−(4`− 1), . . . ,−3,−1
when reduced modp into the range (−p2,p
2). This clearly has 2` positive members, and
hence ν = p′ − 2` = 2`+ 1 negative members. Hence
(2
p
)= (−1)2`+1 = −1.
Doing the other three cases would be a good exercise!
We now use Gauss’s Lemma with a = q to prove the Law of Quadratic Reciprocity.
67
Proof of Theorem 16.1. Take distinct odd primes p and q. For k = 1, 2, . . . , p′ write (onestep of the Euclidean algorithm)
kq = qkp+ rk (8)
say, where 1 6 rk 6 p− 1 and
qk =
⌊kq
p
⌋. (9)
(The quotient in the division algorithm is here expressed in terms of the floor function
bx c : R→ Z ; x 7→ bxc = largest integer 6 x .
For any integers A,B > 1, A = QB +R with Q = bA/Bc.) Now, working in Fp we have
{q, 2q, . . . , p′q} = {r1, r2, . . . , rp′} = {a1, a2, . . . , at} ∪ {−b1,−b2, . . . ,−bν},
as in Gauss’s Lemma. So the ai’s are in (0, p2) and the −bi’s are in (−p
2, 0). (In fact t = p′−ν,
but not needed.) Now put
a =t∑i=1
ai, b =ν∑i=1
bi.
So, by the definition of the ai’s and −bi’s we have
p′∑k=1
rk = a− b+ νp. (10)
Now, in the proof of Gauss’s Lemma we saw that
{a1, a2, . . . , at} ∪ {b1, b2, . . . , bν} = {1, 2, . . . , p′},
so thatp2 − 1
8= 1 + 2 + · · ·+ p′ = a+ b. (11)
and
p2 − 1
8q =
p′∑k=1
kq
= p
p′∑k=1
qk +
p′∑k=1
rk (using (8))
= p
p′∑k=1
qk + a− b+ νp, (using (10).) (12)
68
Next, on subtracting (12) from (11) we get
p2 − 1
8(q − 1) = p
p′∑k=1
qk − 2b+ νp.
Reducing this mod 2 we have 0 ≡∑p′
k=1 qk − ν mod 2, or ν ≡∑p′
k=1 qk mod 2. Thus Gauss’sLemma gives (
q
p
)= (−1)ν = (−1)
∑p′k=1 qk = (−1)
∑p′k=1b kqp c,
using (9).Now, reversing the roles of p and q we immediately get(
p
q
)= (−1)
∑q′`=1b `pq c,
where of course q′ = (q − 1)/2, and we’ve replaced the dummy variable k by `. So(q
p
)(p
q
)= (−1)
{∑p′k=1 b kqp c+
∑q′`=1b `pq c
},
which equals (−1)p′q′ , by the following proposition.
Proposition 16.4. Let p and q be two coprime odd positive integers. Then
p−12∑
k=1
⌊kq
p
⌋+
q−12∑`=1
⌊`p
q
⌋=p− 1
2· q − 1
2.
Proof. Consider the rectangle with corners (0, 0), (p/2, 0), (0, q/2) and (p/2, q/2). (Suggestyou draw it, along with its diagonal from (0, 0) to (p/2, q/2), and the horizontal axis thek-axis, the vertical axis the `-axis. The diagonal is then the line with equation ` = kq/p.) Wecount the number of integer lattice points (k, `) strictly inside this rectangle in two differentways. First we note that these points form a rectangle with corners
(1, 1),
(p− 1
2, 1
),
(1,q − 1
2
),
(p− 1
2,q − 1
2
),
so that there are p−12· q−1
2of them in all.
On the other hand, we count separately those below, above and on the diagonal. Below
the diagonal we have, for k = 1, . . . p−12
that⌊kqp
⌋is the number of points (k, `) with 1 6 ` 6
kqp
, i.e., below the diagonal, in the kth column. So the total is∑ p−1
2k=1
⌊kqp
⌋.
To count the number of lattice points above the diagonal, we flip the diagram over,reversing the roles of p and q, and of k and `. Then we get that the number of points above
the diagonal is∑ q−1
2`=1
⌊`pq
⌋. It remains to check that there are no lattice points actually on
the diagonal. For if the integer lattice point (k, `) were on the diagonal ` = kq/p we wouldhave `p = kq so that, as p and q are coprime, p | k. But k < p, so this is impossible.
69
16.2 Proofs of Infinitude of Primes
Euclid’s proof of the infinitude of primes was remarkable for its simplicity. To review, heargued that if there are only finitely many primes p1, . . . , pk then the number p1 · · · pk + 1 isnot divisible by any prime, an absurdity. Thus there must be infinitely many.
You can actually get pretty far by just modifying this proof a little bit. For instance,consider the following
Claim 16.5. If n is congruent to 3 mod 4 then it has a prime factor congruent to 3 mod 4.
The proof is simple: n is odd, so its factors are all odd. Such factors are either 1 or 3mod 4. If they were all 1, then n itself would be 1 mod 4, which is isn’t. So n has to have afactor congruent to 3 mod 4.
This claim gives us an easy proof of the following
Theorem 16.6. There are infinitely many primes of the form 4k + 3.
Proof. Suppose there were only finitely many such primes, call them p1, . . . , pk. Then con-sider the number
N = 4p1 · · · pk − 1.
Then N is clearly congruent to 3 mod 4, and thus has a prime factor that is 3 mod 4 by theclaim. However, at the same time, N is not divisible by any of the pi. Hence they cannothave been a full list of primes that were 3 mod 4.
We might hope that we could continue in this fashion to do other cases, but we soonrun into difficulties. For instance if we tried to prove that there are infinitely many primescongruent to 1 mod 4 then this approach would not work. The problem is that the Claimabove is not true if we replace 3 with 1. Indeed, the issue is that pairs of factors that arecongruent to 3 mod 4 multiply to give 1 mod 4. For instance 3 · 7 = 21.
Using the Law of Quadratic Reciprocity, we can improve this somewhat.
Theorem 16.7. There are infinitely many primes of the form 4k + 1.
Proof. Suppose there were only finitely many such primes, call them p1, . . . , pk. Then con-sider the number
N = 4(p1 · · · pk)2 + 1.
Then N is clearly congruent to 1 mod 4. Now let q be a prime factor of N . Then mod q wesee that
0 ≡ 4(p1 · · · pk)2 + 1
and thus−1 ≡ (2p1 · · · pk)2
so −1 is a square mod q. But by QR, we know that −1 is a square if and only if q is congruentto 1 mod 4. Hence all prime factors of N are congruent to 1 mod 4. However, at the sametime, N is not divisible by any of the pi. Hence they cannot have been a full list of primesthat were 1 mod 4.
70
Problem 2 on Workshop 5 deals with showing there are infinitely many primes congruentto 7 mod 8. For that problem you want to consider a number of the form (4p1 · · · pk)2 − 2.You can also use this approach to show that there are infinitely many primes of the form8k+3 and 8k+5, where you would use numbers of the form (p1 · · · pk)2+2 and (p1 · · · pk)2+4respectively.
Main Points from Lecture 16:
• The Law of Quadratic Reciprocity
• Gauss’s Lemma
• Infinities of primes satisfying certain properties
17 Some Diophantine Equations (16.11.2015)
17.1 Fermat’s method of descent
Equations to be solved in integer variables are called Diophantine equations, in honour ofDiophantus of Alexandria, who in the 3rd century AD is first recorded as working on them.
Around 1640, Fermat developed a method for showing that certain Diophantine equationshad no (integer) solutions. In essence, the method is as follows: assume that the equationdoes have a solution. Pick the ‘smallest’ (suitably defined) one. Use the assumed solutionto construct a smaller solution, contradicting the fact that the one you started with was thesmallest. This contradiction proves that there is in fact no solution. The technique is calledFermat’s method of descent. It is, in fact, a form of strong induction. (Why?)
We illustrate the method with three examples.
17.2 A 2-variable quadratic equation with no nonzero integer so-lution
Proposition 17.1. The equation x2 = 2y2 has no solution in positive integers, i.e.√
2 isirrational.
First proof. Assume there is a solution in positive integers x, y. Let 2a | x, 2b | y for thehighest a, b > 0, so that x = 2au, y = 2bv for odd integers u, v. Then x2 = 2y2 becomes22au2 = 22b+1v2, so that 2a = 2b+ 1, a contradiction! So there is no such solution x, y.Second proof. We use Fermat Descent. Again assume that there is a solution x, y inpositive integers. Define the size of the solution to be x + y. Choose a solution of smallestsize (not necessarily unique – that doesn’t matter). It follows from 2 | 2y2 = x2 that 2 | x2,and so 2 | x. Put x = 2x1, so that (2x1)
2 = 2y2, or y2 = 2x21. Hence we have another solutiony, x1 of the original equation. But its size is y + x1 < y + x, contradicting the assumptionthat we started with a solution of smallest size. Hence the assumption that there was asolution must be wrong.
71
We next look at a more complicated example. The principle of proving that there is nosolution is just the same, however.
17.3 A 4-variable quadratic equation with no nonzero integer so-lution
Theorem 17.2. Let p and q be odd primes such that at least one of
(p
q
),
(q
p
)is −1. Then
the equationx2 + pqy2 = pz2 + qw2 (13)
has no solution in positive integers x, y, z, w.
Proof. In fact we’ll prove the slightly stronger assertion that (13) has no solution in nonneg-ative integers x, y, z, w not all 0.
Suppose that say
(p
q
)= −1 and there is such a solution (x, y, z, w). Clearly we can
assume that x, y, z, w are all > 0. Define the size of such a solution by
s(x, y, z, w) = x+ y + z + w > 1
Among all such solutions (x, y, z, w), we choose one that has size s(x, y, z, w) as small aspossible.
Considering (13) mod q, we have that x2 ≡ pz2 mod q. If z 6≡ 0 mod q, we would have
(xz−1)2 ≡ p mod q, contradicting
(p
q
)= −1. Hence q | z, and so also q | x. Thus we can
write x = qx1, z = qz1, and so from (13) we have
(qx1)2 + pqy2 = p(qz1)
2 + qw2.
Dividing by q and reordering the terms, we have
w2 + pqz21 = py2 + qx21,
which gives a new solution (w, z1, y, x1) of (13). Now x and z can’t both be 0, as then (13)would give py2 = w2. This is impossible, as y and w aren’t both 0, and so the LHS is exactlydivisible by an odd power of p while the RHS is exactly divisible by an even power of p.Hence either 0 < z1 < z or 0 < x1 < x (or both!), so we have s(w, z1, y, x1) = w+z1+y+x1 <w + z + y + x = s(x, y, z, w). So we have found a solution of smaller size, contradicting thefact that we started with one of minimal size. Hence no solution can exist.
Of course if, instead,
(q
p
)= −1, then we simply swap the roles of p and q in the above
argument.
Corollary 17.3. If both p and q are primes ≡ −1 mod 4 then (13) has no solution in positiveintegers.
72
Proof. In this case quadratic reciprocity tells us that
(p
q
)= −
(q
p
), so that one of these
Legendre symbols is −1. Hence the condition that at least one of
(p
q
),
(q
p
)is −1 in
Theorem 17.2 applies.
Notes.
1. If both
(p
q
)=
(q
p
)= 1, then (13) can have a nonzero solution. For instance, when
p = 5, q = 11 we have
(5
11
)=
(11
5
)=
(1
5
)= 1, from Quadratic Reciprocity. And
indeed the equation x2 + 55y2 = 5z2 + 11w2 has the nonzero solutions
(x, y, z, w) = (4, 0, 1, 1) , (3, 1, 2, 2) , (7, 1, 1, 3) .
2. Theorem 17.2 can be strengthened to show that (13) has no solutions in nonnegativeintegers not all 0. To see this, you follow the proof as above, but the size of the newsolution obtained, w + z1 + y + x1, is < w + z + y + x only if x and z are not both 0.In this case the proof goes through as before.
However, if x = z = 0 then (13) gives py2 = w2. But this has no nonzero solution, asis easily seen by replacing ‘2’ by ‘p’ in Proposition 17.1 – the proof is just the same.Hence the case x = z = 0 cannot occur.
Our third example has a trickier proof, but again the underlying ‘descent’ method is thesame.
17.4 Fermat’s Last Theorem for exponent 4
Fermat’s Last Theorem is that the Diophantine equation
xn + yn = zn
can be solved by integers x, y, z > 1 only for n = 1, 2. (For n = 2 we have the PythagoreanTriples). The theorem was first claimed by Fermat in 1637 in the margin of Diophantus’sArithmetica, although “the margin of the book was too large to accommodate the proof”.So it was downgraded to the Fermat Conjecture. The conjecture was sensationally provedby Sir Andrew Wiles in 1994. On YouTube you can see the marvellous 1996 BBC TV filmabout what is now officially Fermat’s Last Theorem.
Theorem 17.4. The equationx4 + y4 = z2 (14)
has no solution in positive integers x, y, z.
73
Corollary 17.5 (Fermat’s Last Theorem for exponent 4). The equation x4 + y4 = z4 hasno solution in positive integers x, y, z.
This corollary is simply the special case of Theorem 17.4 where z is assumed to be asquare.
Proof of Theorem 17.4. (From H. Davenport, The higher arithmetic. An introductionto the theory of numbers, Longmans 1952, p.162). Suppose that (14) has such a solution.We can clearly assume that z 6= 1, i.e., that z > 1. We measure the size of a solution simplyby z. Assume we have a solution with z minimal. If d = gcd(x, y) > 1 we can divide by d4,replacing x by x/d, y by y/d and z by z/d2 in (14), obtaining a solution with z smaller. Sowe must have gcd(x, y) = 1 for our minimal solution.
Now from Corollary 7.9 we know that
X2 + Y 2 = Z2
has general solution (with gcd(X, Y ) = 1), possibly after interchanging X and Y of
X = p2 − q2 Y = 2pq Z = p2 + q2,
where p, q ∈ N and gcd(p, q) = 1, so
x2 = p2 − q2 y2 = 2pq z = p2 + q2.
As a square is ≡ 0 or 1 mod 4, and x is odd (because gcd(x, y) = 1), we see that p is oddand q is even, say q = 2r. So
x2 = p2 − (2r)2(y
2
)2= pr.
Since gcd(p, r) = 1 and pr is a square, we have p = v2 and r = w2 say, so
x2 + (2w2)2 = v4.
Note that, as gcd(p, q) = 1, we have gcd(x, q) = 1 = gcd(x, 2w2). Hence, on applyingCorollary 7.9 again, we have
x = p21 − q21 2w2 = 2p1q1 v2 = p21 + q21,
where gcd(p1, q1) = 1 and not both are odd. Say p1 odd, q1 even. Thus w2 = p1q1, givingp1 = v21, q1 = r21, say. Hence
v2(= p21 + q21) = v41 + r41,
which is another solution of (14)! But
v2 = p =√z − q2 <
√z,
giving v < z1/4, so certainly v < z (as z > 1), contradicting the minimality of z.
74
Main Points from Lecture 17:
• Diophantine equations without solutions
• Irrationality of√
2
• Fermat’s method of descent
• Fermat’s Last Theorem for n = 4.
18 Representation of integers as sums of two squares
(19.11.2015)
Which n ∈ Z can be represented as a sum of two squares
n = x2 + y2 for x, y ∈ Z ?
Obviously need n > 0. Can clearly assume that x and y are > 0.
Here is what happens for low values of n
0 = 02 + 02 , 1 = 02 + 12 , 2 = 12 + 12 , 3 6= x2 + y2 , 4 = 02 + 22 ,
5 = 12 + 22 , 6 6= x2 + y2 , 7 6= x2 + y2 , 8 = 22 + 22 , 9 = 02 + 32 ,
10 = 12 + 32 , 11 6= x2 + y2 , 12 6= x2 + y2 , 13 = 22 + 32 , 14 6= x2 + y2 , . . . .
There is no apparent pattern.
Gauss was the first to observe that the question of expressing an integer as a sum oftwo squares is closely related to the properties of complex numbers with integer real andimaginary parts. The modulus of a complex number z = a+ib (a, b ∈ R) is the nonnegativereal number
‖z‖ =√a2 + b2 > 0 .
The product of two complex numbers z = a+ ib, w = c+ id is
zw = (a+ ib)(c+ id) = ac− bd+ i(ad+ bc)
with modulus
‖zw‖ =√
(ac− bd)2 + (ad+ bc)2
=√a2c2 + b2d2 + a2d2 + b2c2 =
√a2 + b2
√c2 + d2 = ‖z‖ ‖w‖ .
A Gaussian integer is a complex number of the form
z = a+ ib
75
with a, b ∈ Z. It is clear that the sum of Gaussian integers is a Gaussian integer
(a+ ib) + (c+ id) = (a+ c) + i(b+ d) .
An integer m ∈ N is a sum of squares m = a2 + b2 of integers a, b ∈ N if and only if it is thesquare of the modulus (called the norm) of a Gaussian integer a+ ib
m = ‖a+ ib‖2 = a2 + b2 .
Proposition 18.2 below states that the product of sums of two squares is a sum of two squares:
(a2 + b2)(c2 + d2) = (ac− bd)2 + (ad+ bc)2
which is immediate from the product rule ‖zw‖ = ‖z‖ ‖w‖ for the modulus of the product ofcomplex numbers: the product of Gaussian integers is a Gaussian integer with the productnorm. The Wikipedia article on Gaussian integers is a brief introduction to the interestingalgebraic and geometric properties of the Gaussian integers. You might even wish to take aStroll through the Gaussian primes.
So the question of expressing an integer as a sum of two squares is reduced to theexpression of prime powers as sums of two squares.
Certainly every power of 2 is a sum of squares:
22k = (2k)2 + 02 , 22k+1 = (2k)2 + (2k)2 .
It will turn out that every power of an odd prime p ≡ 1(mod) is a sum of two squares, andthat only the even powers of odd prime p ≡ 3( mod 4) are sums of two squares. It will followthat an integer n > 1 is a sum of two squares if and only if the the highest exponents of theprimes q | n with q ≡ −1(mod 4) are even - a theorem of Fermat (who pre-dated Gauss).
Important note:
(2k)2 ≡ 0 mod 4 and (2k + 1)2 = 8
(k + 1
2
)+ 1 ≡ 1 mod 8
so that(even)2 ≡ 0 (mod, 4) , (odd)2 ≡ 1 (mod, 4) .
The sum n = x2 + y2 of two squares is
either (even)2+(even)2 ≡ 0 mod 4
or (odd)2+(odd)2 ≡ 2 mod 4
or (even)2+(odd)2 ≡ 1 mod 4.
If the sum n is odd then only the last case applies, so it must be n ≡ 1 mod 4.
76
18.1 The case n = p, odd prime
Which primes are the sum of two squares?
Theorem 18.1. An odd prime p is a sum of two squares p = x2 + y2 (of integers) if andonly if p ≡ 1 mod 4.
Proof. We have already shown that if an odd number is a sum of two squares than it is≡ 1 mod 4.
Conversely, assume p is an odd prime and p ≡ 1 mod 4. Knowing that then
(−1
p
)= 1
(Thm. 15.3), take r ∈ N with r2 ≡ −1 mod p. Define K = b√pc, note that
K <√p < K + 1, (15)
as√p 6∈ Z. The function
f : [0, K]× [0, K]→ Fp ; (u, v) 7→ u+ rv mod p
is from a set with (K + 1)2 > p elements to a set with p elements, so by the PigeonholePrinciple, there exist (u1, v1) 6= (u2, v2) for which f(u1, v1) ≡ f(u2, v2) mod p. Hence
u1 + rv1 ≡ u2 + rv2 mod p
u1 − u2 ≡ −r(v1 − v2) mod p
a ≡ −rb mod p,
say, where a = u1 − v1 and b = v1 − v2 are not both 0. Hence a2 ≡ −b2 mod p as r2 ≡−1 mod p, so that p | (a2 + b2). But |a| 6 K, |b| 6 K, giving
0 < a2 + b2 6 2K2 < 2p.
So a2 + b2 = p.
18.2 The general case
We now look at what happens if a prime ≡ −1 mod 4 divides a sum of two squares.
Proposition 18.2. Let q ≡ 3 mod 4 be prime, and q | (x2 + y2). Then q | x and q | y, sothat q2 | (x2 + y2).
Proof. Assume that it is not the case that both x and y are divisible by q, say q - x. Then
from x2 + y2 ≡ 0 mod q we get (yx−1)2 ≡ −1 mod q, contradicting
(−1
q
)= −1 (Thm.
15.3).
Proposition 18.3. If n is a sum of two squares and m is a sum of two squares then so isnm.
77
Proof. If n = a2 + b2 and m = c2 + d2 then
nm = (a2 + b2)(c2 + d2) = (ac− bd)2 + (ad+ bc)2.
Corollary 18.4. If n = A2∏
i ni where A, ni ∈ Z and each ni is a sum of two squares, thenso is n.
Proof. Use induction on i to get n/A2 =∏
i ni = a2 + b2 say. Then n = (Aa)2 + (Ab)2.
We can now state and prove our main result.
Theorem 18.5 ( Fermat). Write n in factorised form as
n = 2f2∏
p≡1 mod 4
pfp∏
q≡−1 mod 4
qgq ,
where (of course) all the p’s and q’s are prime. Then n can be written as the sum of twosquares of integers iff all the gq’s are even.
Proof. If all the gq are even then n = A2×(product of some p’s) and also ×2 if f2 is odd. Sowe have n = A2 ×
∏i(a
2i + b2i ) by Theorem 18.1 (using also 2f2 = (2(f2−1)/2)2 + (2(f2−1)/2)2 if
f2 odd). Hence, by Corollary 18.4, n is the sum of two squares.Conversely, suppose q | n = a2 + b2, where q ≡ −1 mod 4 is prime. Let qk be the highest
power of q dividing both a and b, so say a = qka1, b = qkb1. Then
n
q2k= a21 + b21.
Now q -n
q2k, as otherwise q would divide both a1 and b1, by Prop. 18.2. Hence q2k is the
highest power of q dividing n, i.e., gq = 2k is even. Hence all the gq’s are even.
18.3 Related results
Proposition 18.6. If an integer n is the sum of two squares of rationals then it’s the sumof two squares of integers.
Proof. Suppose that
n =(ab
)2+( cd
)2for some rational numbers a/b and c/d. Then
n(bd)2 = (da)2 + (bc)2.
Hence, by Thm 18.5, for every prime q ≡ −1 mod 4 with qi|n(bd)2, i must be even. But thenif q`|bd then qi−2`|n, with i− 2` even. Hence, by Thm 18.5 (in the other direction), n is thesum of two squares of integers.
78
Corollary 18.7. A rational number n/m is the sum of two squares of rationals iff nm isthe sum of two squares of integers.
Proof. If nm = a2 + b2 for a, b ∈ Z then
n
m=( am
)2+
(b
m
)2
.
Conversely, ifn
m=(ab
)2+( cd
)2then
nm =(amb
)2+(cmd
)2.
Hence, by Prop. 18.6, nm is the sum of two squares of integers.
18.4 Finding all ways of expressing a rational as a sum of tworational squares
Now let h be a rational number that can be written as the sum of two squares of rationals.We can then describe all such ways of writing h.
Theorem 18.8. Suppose that h ∈ Q is the sum of two rational squares: h = s2 + t2, wheres, t ∈ Q. Then the general solution of h = x2 + y2 in rationals x, y is
x =s(u2 − v2)− 2uvt
u2 + v2y = −
(t(u2 − v2) + 2uvs
u2 + v2
), (16)
where u, v ∈ Z and are not both zero.
Proof. We are looking for all points (x, y) ∈ Q2 on the circle x2 + y2 = h. If (x, y) is such apoint, then for x 6= s the chord through (s, t) and (x, y) has rational slope (t− y)/(s− x).
Conversely, take a chord through (s, t) of rational slope r, which has equation y =r(x− s) + t. Then for the intersection point (x, y) of the chord and the circle we have
x2 + (r(x− s) + t)2 = h,
which simplifies to
x2(1 + r2) + 2rx(t− rs) + (r2 − 1)s2 − 2rst = 0,
using the fact that t2 − h = −s2. This factorises as
(x− s)((1 + r2)x+ 2rt+ s(1− r2)) = 0.
For x 6= s we have
x =s(r2 − 1)− 2rt
1 + r2
79
and
y = t+ r(x− s)
= −(t(r2 − 1) + 2sr
1 + r2
),
on simplification. Finally, substituting r = u/v gives (16). Note that v = 0 in (16) (i.e.,r =∞) gives the point (r,−s).
Corollary 18.9. The general integer solution x, y, z of the equation x2 + y2 = nz2 is
(x, y, z) = (a(u2 − v2)− 2uvb, b(u2 − v2) + 2uva, u2 + v2),
where n = a2 + b2, with a, b, u, v ∈ Z, and u, v arbitrary.
(If n is not the sum of two squares, then the equation has no nonzero solution, by Prop.18.6.)
In particular, for n = 1 = 12 + 02, we see that the general integer solution to Pythagoras’equation x2 + y2 = z2 is
(x, y, z) = (u2 − v2, 2uv, u2 + v2).
For a socalled primitive solution — one with gcd(x, y) = 1 — choose u, v with gcd(u, v) = 1and not both odd.
The same method works for Ax2 +By2 + Cz2 = 0.
18.5 Sums of three squares, sums of four squares
Proposition 18.10. No number of the form 4a(8k + 7), where a is a nonnegative integer,is the sum of three squares (of integers).
Proof. Use induction on a. For a = 0: Now n2 ≡ 0, 1 or 4 mod 8, so a sum of three squaresis ≡ 1 or 1 or 2 or 3 or 4 or 5 or 6 mod 8, but 6≡ 7 mod 8.
Assume result true for some integer a > 0. If 4a+1(8k+ 7) = n21 + n2
2 + n23 then all the ni
must be even, and so = 4(n′21 +n′22 +n′23 ) say. But then 4a(8k+ 7) = n′21 +n′22 +n′23 , contraryto the induction hypothesis.
In fact (won’t prove)
Theorem 18.11 (Legendre 1798, Gauss). All positive integers except those of the form4a(8k + 7) are the sum of three squares.
Assuming this result, we can show
Corollary 18.12 (Lagrange 1770). Every positive integer is the sum of four squares.
Proof. The only case we need to consider is n = 4a(8k+7). But then n−(2a)2 = 4a(8k+6) =22k+1(4k + 3), which (being exactly divisible by an odd power of 2) is not of the form4a′(8k′ + 7), so is the sum of three squares.
80
The Wikipedia article on the Lagrange four-square theorem has much to recommend it.
Main Points from Lecture 18:
• An odd prime p is a sum of two squares iff p mod 1 mod 4
• Fermat: a positive integer n is a sum of two squares iff for every odd prime q|n withq ≡ −1 mod 4 the highest power of q dividing n is even.
• An integer is a sum of two squares of rationals iff it is a sum of two squares of integers.
19 Primality testing (23.11.2015)
19.1 Introduction
The applications of number theory to cryptography depend both on you being able to rec-ognize large primes, and on other people not being able to recognize them! You need torecognize which numbers are prime in order to encode information, but the security of thedata transmission depends on the opposition not being able to work out what these primesactually are. For example, in the RSA cryptosystem the public encryption key is the productn = pq of two primes p, q so large that it is not feasible to factor n.
Factorization is concerned with the problem of developing efficient algorithms to expressa given positive integer n > 1 as a product of powers of distinct primes. With primalitytesting, however, the goal is more modest: given n, decide whether or not it is prime. Ifn does turn out to be prime, then of course you’ve (trivially) factorised it, but if you showthat it is not prime (i.e., composite), then in general you have learnt nothing about itsfactorisation (apart from the fact that it’s not a prime!).
One way of testing a number n for primality is the following: suppose a certain theorem,Theorem X say, whose statement depends on a number n, is true when n is prime. Then ifTheorem X is false for a particular n, then n cannot be prime.
It would be good if we could find a Theorem Y that was true iff n was prime, and wasmoreover easy to test. Then we would know that if the theorem was true for n then nwas prime. A result of this type is the following (also on a problem sheet): n is prime iffan−1 ≡ 1 mod n for a = 1, 2, . . . , n− 1. This is, however, not easy to test; it is certainly noeasier than testing whether n is divisible by a for a = 1, . . . , n.
19.2 Wilson’s Theorem and its converse
Here is a theorem which gives a necessary and sufficient condition (hard to verify in practice)for n to be prime.
Theorem 19.1. A positive integer n > 2 is prime if and only if (n− 1)! ≡ −1 mod n.
81
Proof. One way round is just Wilson’s Theorem 9.4: if p is prime then (p− 1)! ≡ −1 mod p.For the converse, assume that n is composite and (n − 1)! ≡ −1 mod n. Let n = ab
with 1 < a < n and 1 < b < n, so that a | (n − 1)!. We now have a | n and also thatn | ((n− 1)! + 1), so that a | (n− 1)! + 1. Hence
a | ((n− 1)! + 1)− (n− 1)! = 1 ,
a contradiction. So n is prime.
Example 19.2. 5! = 120 6≡ −1 mod 6, so n = 6 is not a prime.
The application of Theorem 19.1 in practice requires n−2 multiplications mod n to calcu-late (n−1)! mod n, which isO(n(log2 n)2). See https://en.wikipedia.org/wiki/Big O notationfor the Big O terminology: a numerical function f(n) is O(g(n)) if there exist numbersM,n0 > 0 such that f(n) 6Mg(n) for all n > n0.
19.3 Fermat’s Little Theorem (again), and pseudoprimes
Recall Fermat’s Little Theorem 9.5: if p is prime then ap ≡ a mod p for every a mod p. Soif for some n have an 6≡ a (mod n) for some a 6≡ 0 mod n then n is not prime.
Example 19.3. For a = 2 and n = 63
263 = 260.23 = 6410.8 = 8 6≡ 2 mod 63
so that 63 is not prime. (Of course it is easier to just observe 63=7.9).
It is known that for all the numbers 1 6 n 6 340 if 2n ≡ 2(mod n) then n is prime. Butn = 341 shows that the converse of Fermat’s Little Theorem is false:
Example 19.4. Let n = 341 = 11.31. By Fermat’s Little Theorem we have 210 ≡ 1 mod 11,so that
2340 = (210)34 = 1(mod 11) .
Also2340 = (25)68 = 3268 = 1(mod 31) .
Hence 2341 ≡ 2(mod 341), even though n = 341 is not a prime.
There is also a version of Fermat’s Little Theorem for a prime p and a coprime to p, inwhich case ap−1 ≡ 1 mod p. This condition is necessary but not sufficient for a number n tobe prime, as shown by the above example.
A number n is a pseudoprime to base a if n 6 |a and an−1 ≡ 1 (mod n) but n is notactually a prime.
In general, there are far fewer pseudoprimes n to the base a not exceeding a specifiedbound, than there are primes. For example, there are 455,052,511 primes less than 1010, butonly 14,884 pseudoprimes.
82
19.4 Proving primality of n when n− 1 can be factored
In general, primality tests can only tell you that a number n either ‘is composite’, or ‘can’ttell’. They cannot confirm that n is prime. However, under the special circumstance thatwe can factor n− 1, primality can be proved:
Theorem 19.5 ( Lucas Test, as strengthened by Kraitchik and Lehmer). Let n > 1 have theproperty that for every prime factor q of n−1 there is an integer a such that an−1 ≡ 1 mod nbut a(n−1)/q 6≡ 1 (mod n). Then n is prime.
Proof. Define the subgroup G of (Z/nZ)× to be the subgroup generated by all such a’s.Clearly the exponent of G is a divisor of n − 1. But it can’t be a proper divisor of n − 1,for then it would divide some (n − 1)/q say, which is impossible as a(n−1)/q 6≡ 1 (mod n)for the a corresponding to that q. Hence G has exponent n − 1. But then n − 1 ≤ #G ≤#(Z/nZ)× = ϕ(n). Hence ϕ(n) = n− 1, which immediately implies that n is prime.
Corollary 19.6 (Pepin’s Test, 1877). Let Fk = 22k + 1, the kth Fermat number, where
k ≥ 1. Then Fk is prime iff 3
Fk − 1
2 ≡ −1 mod Fk.
Proof. First suppose that 3
Fk − 1
2 ≡ −1 mod Fk. We apply the theorem with n = Fk. So
n − 1 = 22k and q = 2 only, with a = 3. Then 3
Fk − 1
2 6≡ 1 (mod Fk) and (on squaring)3Fk−1 ≡ 1 mod Fk, so all the conditions of the Theorem are satisfied.
Conversely, suppose that Fk is prime. Then, by Euler’s criterion (Proposition 15.2) andquadratic reciprocity (see Chapter 5) we have
3
Fk − 1
2 ≡(
3
Fk
)=
(Fk3
)=
(2
3
)= −1,
as 2 is not a square mod3.
We can use this to show that F0 = 3, F1 = 5, F2 = 17, F3 = 257 and F4 = 65537 are allprime. It is known that Fk is composite for 5 ≤ k ≤ 32, although complete factorisations ofFk are known only for 0 ≤ k ≤ 11, and there are no known factors of Fk for k = 20 or 24.Heuristics suggest that there may be no more k’s for which Fk is prime.
19.5 Carmichael numbers
A Carmichael number is a (composite) number n that is a pseudoprime to every base awith 1 ≤ a ≤ n and gcd(a, n) = 1. Since it it immediate that an−1 6≡ 1 (mod n) whengcd(a, n) > 1, we see that Carmichael numbers are pseudoprimes to as many possible bases
83
as any composite number could be. They are named after the US mathematician RobertCarmichael (1879 – 1967).
[But even finding an a with gcd(a, n) > 1 gives you a factor of n. (Imagine that n isaround 10300 and is a product of three 100-digit primes – such a’s are going to be few andfar between!)]
Example 1. The number n = 561 = 3.11.17 is a Carmichael number. To see thistake a : gcd(a, 561) = 1, so that a is coprime to each of 3, 11 and 17. So, by Fermat, wehave a2 ≡ 1 mod 3, a10 ≡ 1 mod 11 and a16 ≡ 1 mod 17. Now lcm(2, 10, 16) = 80 so that,taking appropriate powers, we have that a80 ≡ 1 mod 3.11.17. Finally a560 = (a80)7 ≡ 17 ≡1 mod 560, so that indeed n = 561 is Carmichael.
For more examples of Carmichael numbers, see Workshop 4.
19.5.1 Properties of Carmichael numbers
Theorem 19.7 ( See Qs 14 and 15, Workshop 4). An integer n > 1 is a Carmichael numberiff n is squarefree and p− 1 | n− 1 for each prime p dividing n.
Proposition 19.8 ( See Q 18, Workshop 4). Every Carmichael number has at least 3 distinctprime factors.
A curious result is the following.
Theorem 19.9 ( See Q 17, Workshop 4). An integer n > 1 has the property that
(a+ b)n ≡ an + bn mod n for all a, b ∈ Z
iff either n is a prime number or n is a Carmichael number.
19.6 Strong pseudoprimes
Given n > 1 odd and an a such that an−1 ≡ 1 mod n, factorise n− 1 as n− 1 = 2fq, whereq is odd, f ≥ 1 and consider the sequence
S = [aq, a2q, a4q, . . . , a2f q ≡ 1],
taken (mod n). If n is prime then, working left to right, either aq ≡ 1 mod n, in whichcase S consists entirely of 1’s, or the number before the first 1 must be −1. This is becausethe number following any x in the sequence is x2, so if x2 ≡ 1 mod n for n prime, thenx ≡ ±1 mod n. (Why?) A composite number n that has this property, (i.e., is a pseudoprimeto base a and for which either S consists entirely of 1’s or the number before the first 1 inS is −1) is called a strong pseudoprime to base a.
Clearly, if n is a prime or pseudoprime but not a strong pseudoprime, then this strongertest proves that n isn’t prime. This is called the Miller-Rabin Strong Pseudoprime Test.
84
Example 2. Take n = 31621. It is a pseudoprime to base a = 2, as 2n−1 ≡ 1 mod n but5n−1 ≡ 12876 mod n (so n not prime). We have n− 1 = 22 · 7905, 27905 ≡ 31313 mod n and215810 ≡ 231620 ≡ 1 mod n, so n is not a strong pseudoprime to base 2.
19.7 Strong pseudoprimes to the smallest prime bases
It is known that
• 2047 is the smallest strong pseudoprime to base 2;
• 1373653 is the smallest strong pseudoprime to both bases 2, 3;
• 25326001 is the smallest strong pseudoprime to all bases 2, 3, 5;
• 3215031751 is the smallest strong pseudoprime to all bases 2, 3, 5, 7;
• 2152302898747 is the smallest strong pseudoprime to all bases 2, 3, 5, 7, 11;
• 3474749660383 is the smallest strong pseudoprime to all bases 2, 3, 5, 7, 11, 13;
• 341550071728321 is the smallest strong pseudoprime to all bases 2, 3, 5, 7, 11, 13, 17.
(In fact 341550071728321 is also a strong pseudoprime to base 19.)Hence any odd n < 341550071728321 that passes the strong pseudoprime test for all
bases 2, 3, 5, 7, 11, 13, 17 must be prime. So this provides a cast-iron primality test for allsuch n.
19.8 Factorising weak pseudoprimes
Let us call a pseudoprime to base a that is not a strong pseudoprime to base a a weakpseudoprime to base a.
Theorem 19.10. An odd weak pseudoprime n to base a can be factored into n = n1n2,where n1, n2 > 1.
Proof. When the strong pseudoprime test detects n as being composite, what happens is thatsome x ∈ S is a solution to x2 ≡ 1 mod n with x 6≡ ±1 (mod n) because x ≡ 1 mod n1 andx ≡ −1 mod n2 for some coprime n1, n2 with n1n2 = n. And then both g− := gcd(x− 1, n)(divisible by n1) and g+ := gcd(x+1, n) (divisible by n2) are nontrivial factors of n. Further,2 = (x+1)−(x−1) = k+g+−k−g− say, for some integers k+, k−. So, because n is (assumed)odd, g+ and g− are coprime. As they are also factors of n, they must actually equal n1 andn2 respectively.
85
Example 2 revisited. Take n = 31621.Then x = 31313 and gcd(n, 31312) = 103 andgcd(n, 31314) = 307, giving the factorisation n = 103 · 307.
Note that if n = n1n2 where n1 and n2 are coprime integers, then by the Chinese Re-mainder Theorem we can solve each of the four sets of equations
x ≡ ±1 mod n1 x ≡ ±1 mod n2
to get four distinct solutions of x2 ≡ 1 mod n. For instance, for n = 35 get x = ±1 or ±6.For the example n = 31621 above, we have 31313 ≡ 1 mod 103 and 31313 ≡ −1 mod 307,so that four distinct solutions of x2 ≡ 1 mod 31621 are ±1 and ±31313.
19.9 Primality testing in ‘polynomial time’
In 2002 the Indian mathematicians Agrawal, Kayal and Saxena invented an algorithm, basedon the study of the polynomial ring (Z/nZ)[x], that was able to decide whether a given nwas prime in time O((log n)6+ε). (Here the constant implied by the ‘O’ depends on ε and socould go to infinity as ε→ 0.) (Search for ‘AKS algorithm’ on web.)
19.10 The Lucas-Lehmer primality test for Mersenne numbers
Given an odd prime p, let Mp = 2p − 1, a Mersenne number (and a Mersenne prime iff it isprime). [It is an easy exercise to prove that if p is composite, then so is Mp.] See section 13fro an an introduction to Mersenne numbers.
Define a sequence S1, S2, . . . , Sn, . . . by S1 = 4 and Sn+1 = S2n− 2 for n = 1, 2, . . . . so we
haveS1 = 4, S2 = 14, S3 = 194, S4 = 37634, S5 = 1416317954, . . . .
There is a very fast test for determining whether or not Mp is prime.
Theorem 19.11 ( Lucas-Lehmer Test). For an odd prime p, the Mersenne number Mp isprime iff Mp divides Sp−1.
So M3 = 7 is prime as 7 | S2, M5 = 31 is prime as 31 | S4,. . . . In this way get Mp primefor p = 3, 5, 7, 13, 17, 19, 31, 61, 89, 107, 127, 521, 607, 1279, 2203, 2281, . . . (47th) 43112609.There may be others between the 41st and 47th. [as at October 2012.]
For the proof, we need two lemmas.
Lemma 19.12. Put ω = 2 +√
3 and ω1 = 2−√
3. Then ωω1 = 1 (immediate) and
Sn = ω2n−1
+ ω2n−1
1
for n = 1, 2, . . . .
The proof is a very easy induction exercise.
86
Lemma 19.13. Let r be a prime ≡ 1 mod 3 and ≡ −1 mod 8 (i.e., ≡ 7 mod 24). Then
ω
r + 1
2 ≡ −1 mod r.
(So it’s equal to a+ b√
3 where a ≡ −1 mod r and b ≡ 0 mod r.)
Proof. Put
τ =1 +√
3√2
and τ1 =1−√
3√2
.
Then we immediately get ττ1 = −1, τ 2 = ω and τ 21 = ω1. Next, from τ√
2 = 1 +√
3 we have(τ√
2)r = (1 +√
3)r, so that
τ r2r−12
√2 = 1 +
r−1∑j=1
(r
j
)(√
3)j + 3r−12
√3
≡ 1 + 3r−12
√3 mod r, (17)
as r |(rj
). Since r ≡ −1 mod 8 we have
2r−12 ≡
(2
r
)= (−1)
r2−18 ≡ 1 mod r,
using Euler’s Criterion, and Prop. 5.3. Further, since r ≡ 1 mod 3 and r ≡ −1 mod 4 wehave
3
r − 1
2 ≡(
3
r
)=(r
3
)(−1)
r − 1
2·3− 1
2 =
(1
3
)· (−1) ≡ −1 mod r,
using Euler’s Criterion again, and also Quadratic Reciprocity (Th. 5.1). So, from (17), wehave successively
τ r√
2 ≡ 1−√
3 mod r
τ r ≡ τ1 mod r
τ r+1 ≡ ττ1 = −1 (mod r)
ωr+12 ≡ −1 mod r,
the last step using τ 2 = ω.
Proof of Theorem 19.11. Mp prime ⇒ Mp | Sp−1. Assume Mp prime. Apply Lemma19.13 with r = Mp, which is allowed as Mp ≡ −1 mod 8 and Mp ≡ (−1)p− 1 ≡ 1 mod 3. So
ω
Mp + 1
2 = ω2p−1 ≡ −1 mod Mp (18)
87
and, using Lemma 19.12, including ω−11 = ω, we have
Sp−1 = ω2p−2
+ ω2p−2
1 = ω2p−2
1
((ω−11
)2p−2
ω2p−2
+ 1)
= ω2p−2
1
(ω2p−1
+ 1)≡ 0 mod Mp, (19)
the last step using (18).Mp | Sp−1 ⇒ Mp prime. Assume Mp | Sp−1 but Mp composite. We aim for a
contradiction. Then Mp will have a prime divisor q (say) with q2 ≤Mp.
Now consider the multiplicative group G =
(Z[√3]
(q)
)×of units of the ring
Z[√3]
(q). Then G
has coset representatives consisting of numbers a+b√
3 with a, b ∈ {0, 1, 2, . . . , q−1} that arealso invertible (mod q). So G is a group of size (order) at most q2 − 1, with multiplicationdefined modulo q. From ω(ω1 + q
√3) ≡ 1 mod q we see that ω = 2 +
√3 is invertible, and
so ω ∈ G. [Strictly speaking, the coset ω (mod q) ∈ G.]Now, using Mp | Sp−1 we see that (19) holds even when Mp is composite, so we have
successively that ω2p−1+ 1 ≡ 0 mod Mp, ω
2p−1 ≡ −1 mod q and ω2p ≡ 1 mod q. Hence theorder of ω in G is 2p. Then 2p | #G ≤ q2− 1 ≤Mp− 1 = 2p− 2, a contradiction. Hence Mp
must be prime.
In practice, to test Mp for primality using Theorem 19.11, one doesn’t need to com-pute Sj(j = 1, 2, . . . , p − 1), but only the much smaller (though still large!) numbers Sj(mod Mp)(j = 1, 2, . . . , p− 1).
Main Points from Lecture 19:
• The converse of Wilson’s theorem is true
• The converse of Fermat’s Little Theorem is false
• Pseudoprimes
• Carmichael numbers
20 Integer Factorisation (26.11.2015)
In this chapter we review the historic techniques of Trial Division, the Sieve of Eratosthenes,and Fermat’s factorisation method. We then study two simply-programmable integer fac-torisation algorithms, both due to Pollard.
20.1 Trial Division
Given n > 1, try dividing n successively by the primes 2, 3, . . . , up to the largest prime≤√n. If any such prime divides n, then of course you have found a factor, and you can
88
continue the process by applying the same procedure to n/p. On the other hand, if none ofthese primes divides n, then n itself is prime. Why?
Lemma 20.1. If n > 1 is composite then it is divisible by a prime ≤√n.
Proof. Say n = n1n2, where n1, n2 > 1. If both were >√n then n = n1n2 would be
>√n2
= n, a contradiction. Hence one of n1 or n2, say n1, is ≤√n. Then any prime factor
p of n1 certainly divides n, and so p ≤ n1 ≤√n, as required.
Trial division requires knowledge of all primes ≤√n. How to find them?
20.2 The Sieve of Eratosthenes
To find all primes up to N (e.g., for N = b√nc), write down 2, 3, 4, 5, 6, . . . , N and
• cross off all multiples of 2, except 2 itself. Then the first uncrossedout number (3) isprime.
• cross off all multiples of 3, except 3. Then the first uncrossedout number (5) is prime.
Proceed in this way until you have crossed out all multiples of p, except p itself, for all primes≤√N . Then the uncrossedout numbers consist of all the primes ≤ N . This is because, by
Lemma 20.1, all composite numbers ≤ N are divisible by a prime ≤√N , and so have been
crossed out.Thus to apply trial division on n you would need to apply the Sieve of Eratosthenes with
N ≈ n1/4 in order to find all primes up to n1/2.
20.3 Fermat’s factorisation method
Take n > 1 and odd. Fermat’s idea is to try to write n as n = x2 − y2, as then n =(x+ y)(x− y). So if x > y + 1 we get a nontrivial factorisation of n.
We successively try x = d√ne, d
√ne + 1, d
√ne + 2, . . . , until x2 − n is a square, = y2
say. Then x2 − n = y2, or n = (x + y)(x − y). (This process will eventually terminate, asfor x = (n+ 1)/2 we have x2 − n = ((n− 1)/2)2. But this only give the trivial factorisationn = n · 1.)
Example 1. n = 2479, d√ne = 50, 502 − n = 21, 512 − n = 122, 522 − n = 225 = 152,
giving n = 522 − 152 = (52 + 15)(52− 15) = 67 · 37.
Example 2. n = 3953, d√ne = 63, 632 − n = 16 = 42, giving n = 632 − 42 =
(63 + 4)(63− 4) = 67 · 59.
This method works well if n has two factors close together (so that y is small), but isotherwise slow. However, the idea of trying to write n as a difference of two squares is afactorisation idea used in several other factorisation algorithms, for instance in the QuadraticSieve algorithm.
89
20.4 Pollard’s p− 1 method
Take n > 1 and odd, and suppose that n has a prime factor p. Then, if p − 1 | k! for somek, say k! = (p− 1)q, then
2k! = (2q)p−1 ≡ 1 mod p,
by Fermat’s Little Theorem, so that p | 2k!− 1. Hence p | gcd(2k!− 1, n). So long as this gcdisn’t n, we obtain a nontrivial (i.e., not 1 or n) factor of n.
So algorithm is:
Compute modulo n 2, 22! = 22, 23! = 22!3, 24! = 23!4, . . . , 2k! = 2(k−1)!k until n > gcd(n, 2k!−1) > 1. Then gcd(n, 2k! − 1) is a nontrivial factor of n.
Maple code for Pollard p− 1:
r:=2;g:=1;
for k to n while g=1 or g=n do
r:=r^k mod n; g:=gcd(r-1,n);
end do;
print(g,k);
At worst k could be near (n− 1)/2, but is sometimes much smaller. It is generally largewhen all prime factors p of n are such that p− 1 has a large prime factor. It is small whenn has a prime factor p for which all prime factors of p− 1 are small.
Example 1 again. n = 2479. Here k = 6 is enough, as 37 − 1 = 36 | 6!, showing thatp = 37 is a factor.
Example 2 again. n = 3953. Here k = 11 is enough, as 67− 1 = 66 | 11!, showing thatp = 67 is a factor.
20.5 Pollard rho
The idea: for some function f : N → N define an integer sequence, starting with a ‘seed’x0, and defining xk+1 ≡ f(xk) mod n for k ≥ 0. if these numbers are fairly random (modn) then we’d expect to need about
√n of them before two will be equal (mod n). [Compare
the ‘Birthday Paradox’ in Probability Theory, where 23 people chosen at random have,under standard assumptions, a 50% probability of containing a pair that share a birthday.]However, if p is the smallest prime factor of n, and p is much smaller than n, we’d expect thatroughly
√p of the xi are needed before two are equal (mod p). Then if indeed xi ≡ xj mod p
we have p | gcd(xi− xj, n). Provided that xi 6≡ xi (mod n), this will yield a proper factor ofn.
The name ‘Pollard rho’ comes from the ρ-shaped diagram you can draw, consisting of apath from x0 to x1, x1 to x2, and so on, until the path curls around to intersect itself withxj ≡ xi mod p.
90
In practice we can take x0 = 2 and f(x) = x2 + 1. If xi ≡ xj mod p with 0 < i < j, then
xi+1 ≡ f(xi) ≡ f(xj) ≡ xj+1 mod p.
Proceeding in this way, we have
xi+s ≡ xj+s mod p for s = 1, 2, 3, . . . . (20)
Alsoxi ≡ xj ≡ f j−i(xi) ≡ f j−i(xj) ≡ xj+(j−i) ≡ x2j−i,
where f j−i is the (j − i)-fold iterate of f . Hence we can add j − i to the index repeatedly,to obtain
xi ≡ xj ≡ xj+(j−i) ≡ xj+2(j−i) ≡ . . . mod p.
Thus, by if necessary replacing j by j + (a multiple of j − i), we can make j as large aswe like. In particular, we can assume that j ≥ 2i.
Now take s = j − 2i in (20), giving xj−i ≡ x2(j−i) mod p. So in fact we just need to findsome k such that
n > gcd(x2k − xk, n) > 1.
(So we do not need to compare xj with all previous xi’s for i < j.)
Maple code for Pollard rho:
g:=1;x[0]:=2;
for k to 100 while g=1 or g=n do
x[k]:=x[k-1]^2+1 mod n;
if k mod 2 = 0 then g:=gcd(x[k]-x[k/2],n); end if;
end do;
k:=k-1;
print(k,g);
(The choice of 100 as the maximum value for k is somewhat ad hoc, and can of coursebe increased.)
Example 1 yet again. n = 2479. Here k = 6, and g = 37 is a factor.
Example 2 yet again. n = 3953. Here k = 12, and g = 59 is a factor.
Example 3. n = 10092. Here k = 98 and g = 1009 is a (prime) factor.
This last example shows that the algorithm does not work so well (i.e., k is large) if theprime factors of n are large.
91
20.6 Final remarks.
• To specify a factoring algorithm, it’s enough to have a general method that, for a givencomposite n, factors n as n = n1n2, where both n1, n2 > 1. For then you can test n1
and n2 for primality and, if either is composite, recursively apply your algorithm tothem. In this way you will eventually be able to write n as a product of powers ofdistinct primes. So your algorithm does not need to explicitly specify how to do this.
• In order to factor n, it’s enough to find k: 1 < gcd(k, n) < n, as then gcd(k, n) is anontrivial factor of n, with n = n1n2, where n1 = gcd(k, n) and n2 = n/ gcd(k, n).
But if say n = pq where p, q are primes ≈ 10300, then ϕ(n) = (p − 1)(q − 1) =n−p−q+1 ≈ 10600, and n−ϕ(n) = p+q−1 ≈ 2 ·10300. So a random k ∈ {1, 2, . . . , n}has a probability of ≈ 2 · 10−300 of having gcd(k, n) > 1 – vanishingly small!
• If we can find a solution x to the equation x2 ≡ 1 mod n that’s not x = ±1 then we canfactor n. This is because such a solution will produce n = n1n2 where n1 = gcd(x−1, n)and n2 = gcd(x + 1, n). For more details see also the end of Chapter 6, where thismethod is applied to factorise a ‘weak pseudoprime’.
Conversely, any nontrivial factorisation n = n1n2 with gcd(n1, n2) = 1 gives rise tofour solutions of x2 ≡ 1 mod n. This is because we can use the Chinese RemainderTheorem to solve the equations x ≡ −1 mod n1, x ≡ 1 mod n2. Then x and −x areboth solutions of x2 ≡ 1 mod n, and neither is either of ±1.
• Other factorisation methods:
– The Quadratic Sieve – the best general algorithm for numbers up to 10100;
– The General Number Field Sieve – best for larger n (not of a special form).
For more factorisation methods see Wikipedia “integer factorization”.
92
ADDITIONAL TOPICS
Notes by Prof. Chris Smyth
Not lectured on in 2015
21 Dirichlet series
For an arithmetic function f , define its Dirichlet series Df (s) by
Df (s) =∞∑n=1
f(n)
ns.
Here s ∈ C is a parameter. Typically, such series converge for <s > 1, and can be mero-morphically continued to the whole complex plane. However, we will not be concerned withanalytic properties of Dirichlet series here, but will regard them only as generating functionsfor arithmetic functions, and will manipulate them formally, without regard to convergence.
The most important example is for f(n) = 1 (n ∈ N), which gives the Riemann zetafunction ζ(s) =
∑∞n=1
1ns . Also, taking f(n) = n (n ∈ N) gives ζ(s− 1). (Check!).
Proposition 21.1. If f is multiplicative then
Df (s) =∏p
(1 +
f(p)
ps+f(p2)
p2s+ · · ·+ f(pk)
pks+ . . .
)=∏p
Df,p(s), (21)
say.
Proof. Expanding the RHS of (21), a typical term is
f(pe11 )f(pe22 ) . . . f(perr )
pe11 pe22 . . . perr
=f(n)
ns
for n =∏r
i=1 peii , using the fact that f is multiplicative.
Such a product formula Df (s) =∏
pDf,p(s) over all primes p is called an Euler productfor Df (s).
For example
ζ(s) =∏p
(1 +
1
ps+
1
p2s+ · · ·+ 1
pks+ . . .
)=∏p
(1
1− p−s
),
on summing the Geometric Progression (GP). Hence also
1
ζ(s)=∏p
(1− p−s
)=∞∑n=1
µ(n)
ns= Dµ(s),
on expanding out the product.
93
Proposition 21.2. We have(∑k
akks
)·
(∑`
b``s
)=
(∑n
cnns
),
where cn =∑
k|n akbn/k.
Proof. On multiplying out the LHS, a typical term is
akks· b``s
=akbn/kns
,
where k` = n. So all pairs k, ` with k` = n contribute to the numerator of the term withdenominator ns.
Corollary 21.3. We have DF (s) = Df (s)ζ(s).
Proof. Apply the Proposition with ak = f(k) and b` = 1.
Corollary 21.4 ( Mobius inversion again). We have f(n) =∑
d|n µ(n/d)F (d) for all n ∈ N.
Proof. From Corollary 21.3 we have
Df (s) = DF (s) · 1
ζ(s)=
(∑k
F (k)
ks
)·
(∑`
µ(`)
`s
)=
(∑n
cnns
),
where cn =∑
k|n F (k)µ(n/k). But Df (s) =∑∞
n=1f(n)ns , so, on comparing coefficients, f(n) =∑
k|n F (k)µ(n/k).
We now compute the Dirichlet series for a few standard functions. [Part (a) is alreadyproved above.]
Proposition 21.5. We have
(a) Dµ(s) = 1ζ(s)
;
(b) Dϕ(s) = ζ(s−1)ζ(s)
;
(c) Dτ (s) = ζ(s)2;
(d) Dσ(s) = ζ(s− 1)ζ(s).
94
Proof. (b) Now
Dϕ(s) =∏p
(1 +
ϕ(p)
ps+ϕ(p2)
p2s+ · · ·+ ϕ(pk)
pks+ . . .
)=∏p
(1 +
p− 1
ps+p2 − pp2s
+ · · ·+ pk − pk−1
pks+ . . .
)=∏p
(1 +
p− 1
ps· 1
1− p1−s
), on summing the GP
=∏p
(1− p−s
1− p−(s−1)
), on simplification
=ζ(s− 1)
ζ(s).
(c) Now
Dτ (s) =∏p
(1 +
τ(p)
ps+τ(p2)
p2s+ · · ·+ τ(pk)
pks+ . . .
)=∏p
(1 +
2
ps+
3
p2s+ · · ·+ k + 1
pks+ . . .
)
=∏p
1
(1− p−s)2using (1− x)−2 =
∞∑k=0
(k + 1)xk
= ζ(s)2
(d) This can be done by the same method as (b) or (c) – a good exercise! But, given thatwe know the answer, we can work backwards more quickly:
ζ(s− 1)ζ(s) =
(∑k
k
ks
)·
(∑`
1
`s
)=∑n
∑k|n k · 1ns
= Dσ(s),
using Prop. 21.2
22 Some Analytic Results about primes and the divi-
sor function
22.1 The Prime Number Theorem
How frequent are the primes? At the end of the eighteenth century, Gauss and Legendresuggested giving up looking for a formula for the nth prime, and proposed instead estimating
95
the number of primes up to x. So, define the prime-counting function π(x) by
π(x) =∑p6x
p prime
1.
Gauss conjectured on computational evidence that π(x) ∼ xlog x
. This was proved by inde-pendently by Hadamard and de la Vallee Poussin in 1896, and became known as
Theorem 22.1 (The Prime Number Theorem). We have π(x) ∼ xlog x
as x→∞.
It turns out to be more convenient to work with
θ(x) =∑p6x
p prime
log p,
which is called Chebyshev’s θ-function. In terms of this function it can be shown (notdifficult) that the Prime Number Theorem is equivalent to the statement θ(x) ∼ x (x →∞).
We won’t prove PNT here, but instead a weaker version, and in terms of θ(x):
Theorem 22.2. As x→∞ we have
(log 2)x+ o(x) < θ(x) < (2 log 2)x+ o(x),
so that0.6931x+ o(x) < θ(x) < 1.3863x+ o(x).
22.2 Proof of Theorem 22.2
22.2.1 The upper bound
Proposition 22.3. We have θ(x) < (2 log 2)x+O(log2 x).
Proof. Consider(2nn
). By the Binomial Theorem, it is less than (1 + 1)2n = 4n. Also, it is
divisible by all primes p with n < p 6 2n, so
4n >
(2n
n
)>
∏n<p62n
p = eθ(2n)−θ(n).
Hence θ(2n)− θ(n) 6 2n log 2.Now if 2n 6 x < 2n+ 2 (i.e., n 6 x/2 < n+ 1) then θ(x/2) = θ(n) and
θ(x) ≤ θ(2n) + log(2n+ 1) 6 θ(2n) + log(x+ 1),
96
so that, for each x,
θ(x)− θ(x/2) 6 θ(2n) + log(x+ 1)− θ(n)
6 2n log 2 + log(x+ 1)
6 x log 2 + log(x+ 1).
So (standard telescoping argument for x, x/2, x/22, . . . , x/2k where x/2k−1 > 2, x/2k < 2,θ(x/2k) = 0):
θ(x) =(θ(x)− θ
(x2
))+(θ(x
2
)− θ
( x22
))+(θ( x
22
)− θ
( x23
))+ . . .
(θ( x
2k−1
)− θ
( x2k
))6 log 2
(x+
x
2+ · · ·+ x
2k−1
)+ k log(x+ 1)
6 2x log 2 + blog2 xc log(x+ 1)
6 2x log 2 +O(log2 x).
22.2.2 The lower bound
To obtain an inequality in the other direction, we look at
dn = lcm(1, 2, . . . , n) = e∑
pm6n log p.
Defineψ(x) =
∑pm6xp prime
log p;
(i.e., log p to be counted m times if pm is the highest power of p that is 6 x). So dn = eψ(n).
Lemma 22.4. We have ψ(x) < θ(x) + 2x1/2 log x+O(log2 x).
Proof. Now
ψ(x) =∑p6x
log x+∑p26x
log x+∑p36x
log x+ . . .
= θ(x) + θ(x1/2) + θ(x1/3) + · · ·+ θ(x1/k),
where k is greatest such that x1/k > 2, i.e., k = blog2 xc
< θ(x) + log2 x θ(x1/2)
< θ(x) + 2x1/2 log x+O(log2 x), using Prop. 22.3.
97
Curious note: this k is the same one as in the proof of Prop. 22.3, though they haveapparently different definitions.
We can now prove
Proposition 22.5. We have θ(x) > x log 2 +O(x1/2 log x).
Proof. Consider the polynomial p(t) = (t(1 − t))n on the interval [0, 1]. As t(1 − t) ≤ 14
onthat interval (calculus!), we have
0 6 p(t) ≤ 1
4non [0, 1].
Writing p(t) =∑2n
k=0 aktk ∈ Z[t], then
1
4n>∫ 1
0
p(t)dt =2n∑k=0
akk + 1
=N
d2n+1
≥ 1
d2n+1
,
for some N ∈ N, on putting the fractions over a common denominator. Hence we havesuccessively
d2n+1 > 4n
ψ(2n+ 1) > 2n log 2 on taking logs
θ(2n+ 1) > 2n log 2− 2 log(2n+ 1)√
2n+ 1 by Lemma 22.4
θ(x) > x log 2 +O(x1/2 log x).
Combining Propositions 22.3 and 22.5, we certainly obtain Theorem 22.2.
22.3 Some standard estimates
Lemma 22.6. For t > −1 we have log(1 + t) 6 t, with equality iff t = 0.For n ∈ N we have n log(1 + 1
n) < 1.
Proof. The first inequality comes from observing that the tangent y = t to the graph ofy = log(1 + t) at t = 0 lies above the graph, touching it only at t = 0. The second inequalitycomes from putting t = 1/n in the first inequality.
Lemma 22.7 (Weak Stirling Formula). For n ∈ N we have
n log n− n < log(n!) 6 n log n.
Proof. Now for j > 2 we have
log j = j log j − (j − 1) log(j − 1)− (j − 1) log
(1 +
1
j − 1
)= j log j − (j − 1) log(j − 1)− δj,
98
where 0 < δj < 1, using Lemma 22.6 for n = j − 1. So, on summing for j = 2, . . . , n we get
log(n!) =n∑j=2
log j
=n∑j=2
j log j − (j − 1) log(j − 1)− δj
= n log n−n∑j=2
δj
= n log n−∆,
where 0 < ∆ < n, since 1 log 1 = 0 and all the other j log j terms apart from n log ntelescope.
Proposition 22.8. We have ∑n6x
1
n= log x+ γ +O
(1
x
),
where γ = 0.577 . . . , the Euler-Mascheroni constant.
Proof. Draw the graph of y = 1/t for t from 0+ to N + 1, where N = bxc. On eachinterval [n, n+ 1] draw a rectangle of height 1/n, so that these rectangles for n = 1, 2, . . . , Ncompletely cover the area under the curve from t = 1 to t = N + 1. The pie-shaped piecesof the rectangles above the curve, when moved to the left to lie above the interval [0, 1], arenon-intersecting, and more than half-fill the 1 × 1 square on that interval. Say their totalarea is γn. Then, as n→∞, γn clearly tends to a limit γ, the Euler-Mascheroni constant.
The sum of the areas of the rectangles above [n, n + 1] for n = 1, 2, . . . , N is clearly∑Nn=1 1/n (the total area of the parts of the rectangles below the curve). On the other hand,
it is∫ N+1
1dxx
= log(N + 1) (the total area of the parts of the rectangles below the curve),plus γn (the total area of the parts of the rectangles above the curve). Hence
∑n6x
1
n=
N∑n=1
1/n = log(N + 1) + γn.
Since log(N + 1)− log x = O(1x
)and γ − γn = O
(1x
)(check!), we have the result.
22.4 More estimates of sums of functions over primes
Let us put Px =∏
p6x1
1−p−1 . Then
Proposition 22.9. We have Px > log x.
99
Proof. We have
Px =∏p6x
(1 +
1
p+
1
p2+ · · ·+ 1
pn+ . . .
).
On multiplying these series together, we obtain a sum of terms that includes all fractions 1n,
where n 6 x. This is simply because all prime factors of such n are at most x. Hence
Px >∑n6x
1
n> log x,
by Prop. 22.8.
Corollary 22.10. There are infinitely many primes.
Proposition 22.11. We have ∑p6x
1
p> log log x− 1.
Proof. We have
logPx =∑p6x
log
(1 +
1
p+
1
p2+
1
p3+ · · ·+ 1
pk+ . . .
)<∑p6x
1
p+∑p6x
1
p(p− 1),
on applying Lemma 22.6 with t = 1p
+ 1p2
+ 1p3
+ · · ·+ 1pk
+ . . . , and summing the GP, starting
with the 1/p2 term,
<∑p6x
1
p+∞∑n=1
1
(n+ 1)n
=∑p6x
1
p+∞∑n=1
(1
n− 1
n+ 1
)=∑p6x
1
p+ 1,
because of the telescoping of∑∞
n=1
(1n− 1
n+1
). Hence
∑p6x
1
p> logPx − 1 > log log x− 1,
using Prop. 22.9.
100
Proposition 22.12. We have∑p6x
log p
p= log x+O(1) as x→∞.
Proof. Now from Problem Sheet 1, Q8, we have
n! =∏p6n
pbnpc+
⌊np2
⌋+...,
so that (taking logs)
log(n!) =∑p6n
(⌊n
p
⌋+
⌊n
p2
⌋+
⌊n
p3
⌋+ . . .
)log p
=∑p6n
⌊n
p
⌋log p+ Sn,
where
Sn : =∑p6n
(⌊n
p2
⌋+
⌊n
p3
⌋+ . . .
)log p
≤∑p6n
(n
p2+n
p3+ . . .
)log p
= n∑p6n
log p
p(p− 1)
< n∞∑k=1
log(k + 1)
(k + 1)k
= nc,
for some positive constant c, since the last sum is convergent. Hence nc > Sn > 0. Also, forn = bxc we have
n∑p6x
log p
p≥∑p6x
⌊n
p
⌋log p
>∑p6x
(n
p− 1
)log p
= n∑p6x
log p
p− θ(x).
101
Hence
n∑p6x
log p
p>∑p6x
⌊n
p
⌋log p > n
∑p6x
log p
p−O(x),
since θ(x) = O(x), by Theorem 22.2. Now add the inequality nc > Sn > 0 to the aboveinequality, to obtain
n∑p6x
log p
p+ nc > log(n!) > n
∑p6x
log p
p−O(x).
Dividing by n, and using the fact that log(n!)n
= log n−O(1) from Prop. 22.7, we have∑p6x
log p
p+O (1) > log n−O (1) >
∑p6x
log p
p−O (1) .
Hence ∑p6x
log p
p= log x+O(1).
22.5 The average size of the divisor function τ(n)
The following result is a way of saying that an integer n has log n + 2γ − 1 divisors, onaverage. Recall that τ(n) is the number of (positive) divisors of n.
Proposition 22.13. We have, as x→∞, that∑n6x
τ(n) = x log x+ (2γ − 1)x+O(√
x).
Proof. Now∑n6x
τ(n) =∑n6x
∑`|n
1
=∑`6x
∑n=k`k≤x
`
1
=∑`6x
⌊x`
⌋,
102
on recalling that byc is the number of positive integers 6 y,
= 2∑`6√x
⌊x`
⌋−⌊√
x⌋2
by Q10, Problem Sheet 1
= 2∑`6√x
x
`− x+O(
√x)
= 2x
(log√x+ γ +O
(1√x
))− x+O(
√x) using Prop. 22.8
= x log x+ (2γ − 1)x+O(√x).
23 p-adic numbers
23.1 Motivation: Solving x2 ≡ a mod pn
Take an odd prime p, and an integer a coprime to p. Then, as we know, x2 ≡ a mod p has a
solution x ∈ Z iff
(a
p
)= 1. In this case we can suppose that b20 ≡ a mod p. We claim that
then x2 ≡ a mod pn has a solution x for all n ∈ N.Assume that we have a solution x of x2 ≡ a mod pn for some n > 1. Then x is coprime
to p, so that we can find x1 ≡ 12(x+ a/x) mod p2n. (This is the standard Newton-Raphson
iterative method x1 = x − f(x)/f ′(x) for solving f(x) = 0, applied to the polynomialf(x) = x2 − a, but modp2n instead of in R or C.) Then
x1 − x = −1
2
(x− a
x
)= − 1
2x
(x2 − a
)≡ 0 mod pn,
and
x21 − a =1
4
(x2 + 2a+
a2
x2
)− a
=1
4
(x− a
x
)2=
1
4x2(x2 − a)2
≡ 0 mod p2n
Thus, starting with x0 such that x20 ≡ a mod p20, we get successively x1 with x21 ≡ a mod p2
1,
x2 with x22 ≡ a mod p22,. . . , xk with x2k ≡ a mod p2
k,. . . , with xk+1 ≡ xk mod p2
k. So, writing
103
the xi in base p, we obtain
x0 = b0
x1 = b0 + b1p say, specified mod p2
x2 = b0 + b1p+ b2p2 + b3p
3 say, specified mod p4
x3 = b0 + b1p+ b2p2 + b3p
3 + b4p4 + b5p
5 + b6p6 + b7p
7 say, specified mod p8,
and so on.So, in any sense, is x∞ =
∑∞i=1 bip
i a root of x2 ≡ a mod p∞? It turns out that, yes, itis: x∞ is a root of x2 = a in the field Qp of p-adic numbers.
23.2 Valuations
In order to define the fields Qp of p-adic numbers for primes p, we first need to discussvaluations.
A valuation | · | on a field F is a map from F to the nonnegative real numbers satisfying
For each x ∈ F |x| = 0 iff x = 0; (ZERo)
For each x, y ∈ F |xy| = |x| · |y|; (HOMomorphism)
For each x, y ∈ F |x+ y| 6 |x|+ |y|. (TRIangle)
If in addition
For each x, y ∈ F |x+ y| 6 max(|x|, |y|), (MAXimum)
then | · | is called a nonarchimedean valuation. A valuation that is not nonarchimedean,i.e., for which there exist x, y ∈ F such that |x+ y| > max(|x|, |y|), is called archimedean.For instance the standard absolute value on R is archimedean because 2 = |2| = |1 + 1| >max(|1|, |1|) = 1.
Note that MAX is stronger than TRI in the sense that if MAX is true than TRI iscertainly true. So to show that a valuation is nonarchimedean we only need to check thatZER, HOM and MAX hold.
Proposition 23.1. For any valuation | · | on a field F we have |1| = |−1| = 1 and for n ∈ N(defined as the sum of n copies of the identity of F ) we have | − n| = |n| and |1/n| = 1/|n|.Further, for n,m ∈ N we have |n/m| = |n|/|m|.
Proof. We have |1| = |12| = |1|2, using HOM, so that |1| = 0 or 1. But |1| 6= 0 by ZER, so|1| = 1.
Also 1 = |1| = |(−1)2| = | − 1|2 by HOM, so that | − 1| = 1 since | − 1| > 0.Further, | − n| = |(−1)n| = | − 1| · |n| = 1 · |n| = |n|, and from n · (1/n) = 1 we get
|n| · |1/n| = |1| = 1, so that |1/n| = 1/|n|.Finally, from n/m = n · (1/m) we get |n/m| = |n| · |1/m| = |n|/|m|.
104
23.3 Nonarchimedean valuations
From now on we restrict our attention to nonarchimedean valuations.
Proposition 23.2 (Principle of Domination). Suppose that we have a nonarchimedean val-uation | · | on a field F , and that x, y ∈ F with |x| 6= |y|. Then
|x+ y| = max(|x|, |y|).
Note the equal sign in this statement!
Proof. Put s = x+ y, and assume w.l.g. that |x| < |y|. Then |s| ≤ max(|x|, |y|) = |y|, while
|y| = |s− x| ≤ max(|s|, | − x|) = max(|s|, |x|) = |s|,
since otherwise we’d have |y| ≤ |x|. Hence |s| = |y| = max(|x|, |y|).
Corollary 23.3. Suppose that x1, . . . , xn ∈ F , with | · | nonarchimedean. Then
|x1 + . . . ,+xn| ≤ max(|x1|, . . . , |xn|),
with equality if |x1| > max(|x2, . . . , |xn|).
Proof. Use induction, with the help of MAX, for the inequality. For the equality, put x1 = yand x2 + · · ·+ xn = x in the Principle of Domination.
Corollary 23.4. For | · | nonarchimedean and n ∈ Z we have |n| 6 1.
Proof. Apply the Corollary above with all xi = 1. Then use | − n| = |n|.
Lemma 23.5. If | · | is a nonarchimedean valuation on F , then so is | · |α for any α > 0.
Proof. It’s easily checked that ZER, HOM and MAX still hold when the valuation we startwith is taken to the α-th power.
[ The same does not apply to TRI – we need 0 < α 6 1 for TRI to still always hold.]
23.4 Nonarchimedean valuations on QCorollary 23.6. If | · | is a nonarchimedean valuation on Q with |n| = 1 for all n ∈ N then| · | is trivial, i.e., |x| = 0 if x = 0 while |x| = 1 if x 6= 0.
Proof. We then have |x| = 0 by ZER, while |n/m| = |n|/|m| = 1/1 = 1.
We’ll ignore trivial valuations from now on.
Proposition 23.7. If | · | is a nonarchimedean valuation on Q with |n| < 1 for some n ∈ N,then there is a prime p such that {n ∈ N : |n| < 1} = {n ∈ N : p divides n}.
105
Proof. Take the smallest positive integer n1 such that |n1| < 1. We know that n1 > 1. If n1
is composite, say n1 = n2n3 with 1 < n2, n3 < n1, then, by the minimality of n1, we have|n2| = |n3| = 1, so that |n1| = |n2| · |n3| = 1 · 1 = 1 by HOM, a contradiction. Hence n1 isprime, = p say.
Then for any n with |n| < 1 we can, by the division algorithm, write n = qp + r where0 6 r < p. But then |r| = |n − qp| ≤ max(|n|, | − qp|) = max(|n|, | − 1| · |q| · |p|) < 1, as| − 1| = 1, |q| 6 1 and |p| < 1. By the minimality of p we must have r = 0, so that p | n.
Next, we show that there is indeed a valuation on Q corresponding to each prime p. Wedefine | · |p by |0| = 0, |p|p = 1/p and |n| = 1 for n ∈ Z and coprime to p, and |pkn/m|p = p−k
for n and m coprime to p. We call this the p-adic valuation on Q.
Proposition 23.8. The p-adic valuation on Q is indeed a valuation.
Proof. The definition of | · |p ensures that ZER and HOM hold. It remains only to checkthat MAX holds.
Let x = pkn/m and y = pk′n′/m′,where n,m, n′m′ are all coprime to p. Suppose w.l.g.
that k 6 k′. Then |x|p = |pk|p · |n|p/|m|p = p−k as |n|p = |m|p = 1 and |p|p = 1/p. Similarly|y|p = p−k
′ ≤ |x|p. Hence
|x+ y|p =
∣∣∣∣pk(nm′ + pk′−kn′m)
mm′
∣∣∣∣p
=p−k|nm′ + pk
′−kn′m|p|mm′|p
6 p−k = max(|x|p, |y|p).
as |m|p = |m′|p = 1 and |nm′ + pk′−kn′m|p 6 1, since nm′ + pk
′−kn′m ∈ Z.
[Note that the choice of |p|p = 1/p is not particularly important, as by replacing | · |p byits α-th power as in Lemma 23.5 we can make |p|p equal any number we like in the interval(0, 1). But we do need to fix on a definite value!]
23.5 The p-adic completion Qp of QWe first recall how to construct the real field R from Q, using Cauchy sequences. Takethe ordinary absolute value | · | on Q, and define a Cauchy sequence to be a sequence(an) = a1, a2, . . . , an, . . . of rational numbers with the property that for each ε > 0 there isan N > 0 such that |an − an′ | < ε for all n, n′ > N . We define an equivalence relation onthese Cauchy sequences by saying that two such sequences (an) and (bn) are equivalent ifthe interlaced sequence a1, b1, a2, b2, . . . , an, bn, . . . is also a Cauchy sequence. [Essentially,this means that the sequences tend to the same limit, but as we haven’t yet constructed R,where (in general) the limit lies, we can’t say that.] Having checked that this is indeed anequivalence relation on these Cauchy sequences, we define R to be the set of all equivalenceclasses of such Cauchy sequences. We represent each equivalence class by a convenientequivalence class representative; one way to do this is by the standard decimal expansion. So,the class π will be represented by the Cauchy sequence 3, 3.1, 3.14, 3.141, 3.1415, 3.14159, . . . ,which we write as 3.14159 . . . . Further, we can make R into a field by defining the sum and
106
product of two Cauchy sequences in the obvious way, and also the reciprocal of a sequence,provided the sequence doesn’t tend to 0.
[The general unique decimal representation of a real number a is
a = ±10k(d0 + d110−1 + d210−2 + · · ·+ dn10−n + . . . ),
where k ∈ Z, and the digits di are in {0, 1, 2, . . . , 9}, with d0 6= 0. Also, it is forbidden thatthe di’s are all = 9 from some point on, as otherwise we get non-unique representations, e.g.,1 = 100(1.00000 . . . ) = 10−1(9.99999 . . . ).]
We do the same kind of construction to define the p-adic completion Qp of Q, exceptthat we replace the ordinary absolute value by | · |p in the method to obtain p-Cauchysequences. To see what we should take as the equivalence class representatives, we needthe following result.
Lemma 23.9. Any rational number m/n with |m/n|p = 1 can be p-adically approximatedarbitrarily closely by a positive integer. That is, for any k ∈ N there is an N ∈ N such that|m/n−N |p 6 p−k.
Proof. We can assume that |n|p = 1 and |m|p 6 1. We simply take N = mn′, wherenn′ ≡ 1 mod pk. Then the numerator of m/n−N is an integer that is divisible by pk.
An immediate consequence of this result is that any rational number (i.e., droppingthe |m/n|p = 1 condition) can be approximated arbitrarily closely by a positive integertimes a power of p. Thus one can show that any p-Cauchy sequence is equivalent to onecontaining only those kind of numbers. We write the positive integer N in base p, so thatpkN = pk(a0+a1p+a2p
2+ · · ·+arpr) say, where the ai are base-p digits ∈ {0, 1, 2, . . . , p−1},
and where we can clearly assume that a0 6= 0 (as otherwise we could increase k by 1). Wedefine Qp, the p-adic numbers, to be the set of all equivalence classes of p-Cauchy sequencesof elements of Q. Then we have the following.
Theorem 23.10. Every nonzero element (i.e., equivalence class) in Qp has an equivalenceclass representative of the form
pka0, pk(a0 + a1p), p
k(a0 + a1p+ a2p2), . . . , pk(a0 + a1p+ a2p
2 + · · ·+ aipi), . . . ,
which we write simply as
pk(a0 + a1p+ a2p2 + · · ·+ aip
i + . . . ) [= pk(∞∑i=0
aipi)].
Here, the ai are all in ∈ {0, 1, 2, . . . , p− 1}, with a0 6= 0.
Thus we can regard p-adic numbers as these infinite sums pk(∑∞
i=0 aipi). We define
the unary operations of negation and reciprocal, and the binary operations of addition andmultiplication in the natural way, namely: apply the operation to the (rational) elements ofthe p-Cauchy sequence representing that number, and then choose a standard equivalenceclass representative (i.e., pk(
∑∞i=0 aip
i) with all ai ∈ {0, 1, 2, . . . , p−1}, a0 6= 0) for the result.When we do this, we have
107
Theorem 23.11. With these operations, Qp is a field, the field of p-adic numbers, andthe p-adic valuation | · |p can be Extended from Q to Qp by defining |a|p = p−k when a =pk(∑∞
i=0 aipi). Again, the ai are all in ∈ {0, 1, 2, . . . , p− 1}, with a0 6= 0.
We shall skip over the tedious details that need to be checked to prove these two theorems.Note that, like R, Qp is an uncountable field of characteristic 0 (quite unlike Fp, which
is a finite field of characteristic p).We define a p-adic integer to be an p-adic number a with |a|p 6 1, and Zp to be the
set of all p-adic integers.
Proposition 23.12. With the arithmetic operations inherited from Qp, the set Zp is a ring.
Proof. This is simply because if a and a′ ∈ Zp, then |a|p 6 1 and |a′|p 6 1, so that
|a+ a′|p ≤ max(|a|p, |a′|p) 6 1 by MAX ;
|a · a′|p = |a|p · |a′|p 6 1 by HOM ,
showing that Zp is closed under both addition and multiplication, and so is a ring.
An p-adic number a is called a p-adic unit if |a|p = 1. Then k = 0 so that a =∑∞
i=0 aipi
with all ai ∈ {0, 1, 2, . . . , p − 1} and a0 6= 0. The set of all p-adic units is a multiplicativesubgroup of the multiplicative group Q×p = Qp \ {0}. This is because if |a|p = 1 then|1/a|p = 1/|a|p = 1, so that 1/a is also a unit.
23.6 Calculating in Qp
23.6.1 Negation
If a = pk(∑∞
i=0 aipi), then
−a = pk
((p− a0) +
∞∑i=1
(p− 1− ai)pi),
as can be checked by adding a to −a (and getting 0!). Note that from all ai ∈ {0, 1, 2, . . . , p−1} and a0 6= 0 we have that the same applies to the digits of −a.
23.6.2 Reciprocals
If a = pk(∑∞
i=0 aipi), then
1
a= p−k(a′0 + a′1p+ · · ·+ a′ip
i + . . . )
say, where for any i the first i digits a′0, a′1, . . . , a
′i can be calculated as follows: Putting
a0 + a1p + · · · + aipi = N , calculate N ′ ∈ N with N ′ < pi+1 such that NN ′ ≡ 1 mod pi+1.
Then writing N ′ in base p as N ′ = a′0 + a′1p+ · · ·+ a′ipi gives a′0, a
′1, . . . , a
′i.
108
23.6.3 Addition and multiplication
If a = pk(∑∞
i=0 aipi) and a′ = pk(
∑∞i=0 a
′ipi) (same k) then a+a′ = pk((a0 +a′0)+(a1 +a′1)p+
· · ·+ (ai+a′i)pi+ . . . ), where then ‘carrying’ needs to be performed to get the digits of a+a′
into {0, 1, 2, . . . , p − 1}. If a′ = pk′(∑∞
i=0 a′ipi) with k′ < k then we can pad the expansion
of a′ with initial zeros so that we can again assume that k′ = k, at the expense of no longerhaving a′0 nonzero. Then addition can be done as above.
Multiplication is similar: multiplying a = pk(∑∞
i=0 aipi) by a′ = pk
′(∑∞
i=0 a′ipi) gives
a · a′ = pk+k′(a0a
′0 + (a1a
′0 + a0a
′1)p+ · · ·+ (
i∑j=0
aja′i−j)p
i + . . . ),
where then this expression can be put into standard form by carrying.
23.7 Expressing rationals as p-adic numbers
Any nonzero rational can clearly be written as ±pkm/n, where m,n are positive integerscoprime to p (and to each other), and k ∈ Z. It’s clearly enough to express ±m/n as a p-adicnumber a0 + a1p+ . . . , as then ±pkm/n = pk(a0 + a1p+ . . . ).
23.7.1 Representating −m/n, where 0 < m < n
We have the following result.
Proposition 23.13. Put e = ϕ(n). Suppose that m and n are coprime to p, with 0 < m < n,and that the integer
mpe − 1
nis written as d0 + d1p+ · · ·+ de−1p
e−1
in base p. Then
−mn
= d0 + d1p+ · · ·+ de−1pe−1 + d0p
e + d1pe+1 + · · ·+ de−1p
2e−1 + d0p2e + d1p
2e+1 + . . . .
Proof. We know that pe−1n
is an integer, by Euler’s Theorem. Hence
−mn
=mpe−1
n
1− pe= (d0 + d1p+ · · ·+ de−1p
e−1)(1 + pe + p2e + . . . ),
which gives the result.
In the above proof, we needed m < n so that mpe−1n
< pe, and so had a representationd0 + d1p+ · · ·+ de−1p
e−1.
109
23.7.2 The case m/n, where 0 < m < n
For this case, first write −m/n = u/(1− pe), where, as above, u = m · pe−1n. Then
m
n=−u
1− pe= 1 +
pe − 1− u1− pe
= 1 +u′
1− pe,
where u′ = pe − 1− u and 0 6 u′ < pe. Thus we just have to add 1 to the repeating p-adicinteger u′ + u′pe + u′p2e + . . . .
Example What is 1/7 in Q5?From 56 ≡ 1 mod 7 (Fermat), and (56 − 1)/7 = 2232, we have
−1
7=
2232
1− 56
=2 + 1 · 5 + 4 · 52 + 2 · 53 + 3 · 54
1− 56
= (21423)(1 + 56 + 512 + . . . )
= 214230 214230 214230 214230 214230 . . . .
Hence1
7= 330214 230214 230214 230214 230214 230214 . . . ,
which is a way of writing 3 + 3 · 51 + 0 · 52 + 2 · 53 + . . . .
23.8 Taking square roots in Qp
23.8.1 The case of p odd
First consider a p-adic unit a = a0 + a1p + a2p2 + · · · ∈ Zp, where p is odd. Which such a
have a square root in Qp? Well, if a = b2, where b = b0 + b1p+ b2p2 + · · · ∈ Zp, then, working
mod p we see that a0 ≡ b20 mod p, so that a0 must be a quadratic residue modp. In thiscase the method in Section 23.1 will construct b. Note that if at any stage you are trying toconstruct b mod n then you only need to specify a mod n, so that you can always work withrational integers rather than with p-adic integers.
On the other hand, if a0 is a quadratic nonresidue, then a has no square root in Qp.
Example. Computing√
6 in Q5. While the algorithm given in the introduction tothis chapter is a good way to compute square roots by computer, it is not easy to useby hand. Here is a simple way to compute square roots digit-by-digit, by hand: Write√
6 = b0 + b1 · 51 + b2 · 52 + . . . . Then, squaring and working mod 5, we have b20 ≡ 1 mod 5,so that b0 = 1 or 4. Take b0 = 1 (4 will give the other square root, which is minus the onewe’re computing.)
110
Next, working mod 52, we have
6 ≡ (1 + b1 · 5)2 mod 52
6 ≡ 1 + 10b1 mod 52
1 ≡ 2b1 mod 5,
giving b1 = 3. Doing the same thing mod 53 we have
6 ≡ (1 + 3 · 5 + b2 · 52)2 mod 53
6 ≡ 162 + 32b2 · 52 mod 53
−250 ≡ 32b2 · 52 mod 53
0 ≡ 32b2 mod 5,
giving b2 = 0. Continuing mod 54, we get b3 = 4, so that√
6 = 1 + 3 · 5 + 0 · 52 + 4 · 53 + . . . .
Next, consider a general p-adic number a = pk(a0 +a1p+ . . . ). If a = b2, then |a|p = |b|2p,so that |b|p = |a|1/2p = p−k/2. But valuations of elements of Qp are integer powers of p, sothat if k is odd then b 6∈ Qp. But if k is even, there is no problem, and a will have a squareroot b = pk/2(b0 + b1p+ . . . ) ∈ Qp iff a0 is a quadratic residue modp.
23.8.2 The case of p even
Consider a 2-adic unit a = 1+a12+a222+· · · ∈ Z2. If a = b2, where b = b0+b12
1+b222+· · · ∈
Z2, working mod 8, we have b2 ≡ 1 mod 8, so that we must have a ≡ 1 mod 8, givinga1 = a2 = 0. When this holds, the construction of Section 23.1 will again construct b. Onthe other hand, if a 6≡ 1 mod 8, then a has no square root in Q2.
For a general 2-adic number a = 2k(1 + a12 + a222 + . . . ), we see that, similarly to the
case of p odd, a will have a square root in Q2 iff k is even and a1 = a2 = 0.
23.9 The Local-Global Principle
The fields Qp (p prime) and R, and their finite extensions, are examples of local fields.These are complete fields, because they contain all their limit points. On the other hand,Q and its finite extensions are called number fields and are examples of global fields.[Other examples of global and local fields are the fields F(x) of rational functions over afinite field F (global) and their completions with respect to the valuations on them (local).]One associates to a global field the local fields obtained by taking the completions of thefield with respect to each valuation on that field.
Suppose that you are interested in whether an equation f(x, y) = 0 has a solution x, y inrational numbers. Clearly, if the equation has no solution in R, or in some Qp, then, sincethese fields contain Q, the equation has no solution on Q either.
For example, the equation x2 + y2 = −1 has no solution in Q because it has no solutionin R. The equation x2 + 3y2 = 2 has no solution in Q because it has no solution in Q3,because 2 is a quadratic nonresidue of 3.
111
The Local-Global (or Hasse-Minkowski) Principle is said to hold for a class of equations(over Q, say) if, whenever an equation in that class has a solution in each of its completions,it has a solution in Q. This principle holds, in particular, for quadratic forms. Thus for suchforms in three variables, we have the following result.
Theorem 23.14. Let a, b, c be nonzero integers, squarefree, pairwise coprime and not all ofthe same sign. Then the equation
ax2 + by2 + cz2 = 0 (22)
has a nonzero solution (x, y, z) ∈ Z3 iff−bc is a quadratic residue of a; i.e. the equation x2 ≡ −bc mod a has a solution x;−ca is a quadratic residue of b;−ab is a quadratic residue of c.
(Won’t prove.) The first of these conditions is necessary and sufficient for (22) to havea solution in Qp for each odd prime dividing a. Similarly for the other two conditions. Thecondition that a, b, c are not all of the same sign is clearly necessary and sufficent that (22)has a solution in R. But what about a condition for a solution in Q2?
23.9.1 Hilbert symbols
It turns out that we don’t need to consider solutions in Q2, because if a quadratic form hasno solution in Q then it has no solution in a positive, even number (so, at least 2!) of itscompletions. Hence, if we’ve checked that it has a solution in all its completions except one,it must in fact have a solution in all its completions, and so have a solution in Q. This isbest illustrated by using Hilbert symbols and Hilbert’s Reciprocity Law.
For a, b ∈ Q the Hilbert symbol (a, b)p, where p is a prime or∞, and Q∞ = R, is definedby
(a, b)p =
{1 if ax2 + by2 = z2 has a nonzero solution in Qp;
−1 otherwise.
Hilbert’s Reciprocity Law says that∏
p(a, b)p = 1 . (Won’t prove; it is, however, essentiallyequivalent to the Law of Quadratic Reciprocity.) Hence, a finite, even number of (a, b)p (p aprime or ∞) are equal to −1.
23.10 Nonisomorphism of Qp and Qq
When one writes rational numbers to any (integer) base b > 2, and then forms the completionwith respect to the usual absolute value | · |, one obtains the real numbers R, (though maybewritten in base b). Thus the field obtained (R) is independent of b. Furthermore, b needn’tbe prime.
However, when completing Q (in whatever base) with respect to the p-adic valuationto obtain Qp, the field obtained does depend on p, as one might expect, since a differentvaluation is being used for each p. One can, however, prove this directly:
112
Theorem 23.15. Take p and q to be two distinct primes. Then Qp and Qq are not isomor-phic.
Proof. We can assume that p is odd. Suppose first that q is also odd. Let n be a quadraticnonresidue modq. Then using the Chinese Remainder Theorem we can find k, ` ∈ N with
1 + kp = n+ `q. Hence, for a = 1 + kp we have
(a
p
)=
(1
p
)= 1 while
(a
q
)=
(n
q
)= −1.
Hence, by the results of Subsection 23.8 we see that√a ∈ Qp but
√a 6∈ Qq. Thus, if there
were an isomorphism φ : Qp → Qq then we’d have
φ(√a)2 = φ(
√a2) = φ(a) = φ(1 + 1 + · · ·+ 1) = a,
so that φ(√a) would be a square root of a in Qq, a contradiction.
Similarly, if q = 2 then we can find a = 1 + kp = 3 + 4`, so that√a ∈ Qp again, but√
a 6∈ Q2. so the same argument applies.
23.11 The b-adic numbers
Note that for any integer b > 2 one can, in fact, define the ring of b-adic numbers, whichconsists of numbers pk(a0+a1b+a2b
2+· · ·+aibi+. . . ), where k ∈ Z and all ai ∈ {0, 1, 2, . . . , b−1}. However, if b is composite, this ring has nonzero zero divisors (nonzero numbers a, a′
such that aa′ = 0), so is not a field — in fact not even an integer domain. The followingexercise proves this for b = 6.
Exercise. Define the ring of 6-adic numbers as for the p-adic numbers but with 6replacing p. Show that the 6-adic numbers are not a field by finding a 6-adic numberα 6= 0,−1 satisfying α(α + 1) = 0.
[Suggestion: put α = 2 + a1 · 6 + a2 · 62 + a3 · 63 + · · · , and solve α(α+ 1) = 0 mod 6k fork = 2, 3, . . . to obtain a1, a2, a3, . . . and hence α.]
113